oss/syft
2
0
Fork 0
mirror of https://github.com/anchore/syft.git synced 2025-11-17 08:23:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: return empty string if dereferncing pom var fails (#2797)

Browse Source 
Previously, Syft would attempt to dereference pom variables, but if it
detected a cycle or failed to get back to a non-variable value, it would
return the last variable. Instead, return an empty string. Otherwise,
certain jars will have versions like "${project.version}" in the SBOM,
which is not helpful.

Signed-off-by: Will Murphy <will.murphy@anchore.com>
This commit is contained in:
William Murphy 2024-04-19 15:38:36 -04:00 committed by GitHub
parent f2633800ce
commit 6440f26b5a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 16 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
syft/pkg/cataloger/java/parse_pom_xml.go
View File

@ -236,7 +236,11 @@ func resolveProperty(pom gopom.Project, property *string, propertyName string) s
seenBeforePropertyNames := map[string]struct{}{
propertyName: {},
}
return recursiveResolveProperty(pom, propertyCase, seenBeforePropertyNames)
result := recursiveResolveProperty(pom, propertyCase, seenBeforePropertyNames)
if propertyMatcher.MatchString(result) {
return "" // dereferencing variable failed; fall back to empty string
}
return result
}
//nolint:gocognit

19
syft/pkg/cataloger/java/parse_pom_xml_test.go
View File

@ -502,7 +502,7 @@ func Test_resolveProperty(t *testing.T) {
pom: gopom.Project{
Parent: nil,
},
expected: "${project.parent.groupId}",
expected: "",
},
{
name: "nil string pointer halts search",
@ -512,7 +512,7 @@ func Test_resolveProperty(t *testing.T) {
GroupID: nil,
},
},
expected: "${project.parent.groupId}",
expected: "",
},
{
name: "double dereference",
@ -537,7 +537,7 @@ func Test_resolveProperty(t *testing.T) {
Version: stringPointer("1.2.3"),
},
},
expected: "${springboot.version}",
expected: "",
},
{
name: "resolution halts even if it resolves to a variable",
@ -552,7 +552,7 @@ func Test_resolveProperty(t *testing.T) {
},
},
},
expected: "${undefined.version}",
expected: "",
},
{
name: "resolution halts even if cyclic",
@ -564,7 +564,7 @@ func Test_resolveProperty(t *testing.T) {
},
},
},
expected: "${springboot.version}",
expected: "",
},
{
name: "resolution halts even if cyclic more steps",
@ -578,21 +578,24 @@ func Test_resolveProperty(t *testing.T) {
},
},
},
expected: "${cyclic.version}",
expected: "",
},
{
name: "resolution halts even if cyclic involving parent",
property: "${cyclic.version}",
pom: gopom.Project{
Parent: &gopom.Parent{
Version: stringPointer("${cyclic.version}"),
},
Properties: &gopom.Properties{
Entries: map[string]string{
"other.version": "${cyclic.version}",
"other.version": "${parent.version}",
"springboot.version": "${other.version}",
"cyclic.version": "${springboot.version}",
},
},
},
expected: "${cyclic.version}",
expected: "",
},
}