fix(java): correctly overwrite version from depManagement if dependency uses project.* props (#8050)

DmitriyLewen · web-flow · commit 9d9f80d9791f · 2024-12-05T07:57:31.000Z
diff --git a/pkg/dependency/parser/java/pom/parse_test.go b/pkg/dependency/parser/java/pom/parse_test.go
@@ -1470,6 +1470,52 @@ func TestPom_Parse(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:      "overwrite artifact version from dependencyManagement in the root POM when dependency uses `project.*` props",
+			inputFile: filepath.Join("testdata", "root-pom-dep-management-for-deps-with-project-props", "pom.xml"),
+			local:     true,
+			want: []ftypes.Package{
+				{
+					ID:           "com.example:root-pom-dep-management-for-deps-with-project-props:1.0.0",
+					Name:         "com.example:root-pom-dep-management-for-deps-with-project-props",
+					Version:      "1.0.0",
+					Relationship: ftypes.RelationshipRoot,
+				},
+				{
+					ID:           "org.example:example-dependency:1.7.30",
+					Name:         "org.example:example-dependency",
+					Version:      "1.7.30",
+					Relationship: ftypes.RelationshipDirect,
+					Locations: ftypes.Locations{
+						{
+							StartLine: 21,
+							EndLine:   25,
+						},
+					},
+				},
+				{
+					ID:           "org.example:example-api:2.0.0",
+					Name:         "org.example:example-api",
+					Version:      "2.0.0",
+					Licenses:     []string{"The Apache Software License, Version 2.0"},
+					Relationship: ftypes.RelationshipIndirect,
+				},
+			},
+			wantDeps: []ftypes.Dependency{
+				{
+					ID: "com.example:root-pom-dep-management-for-deps-with-project-props:1.0.0",
+					DependsOn: []string{
+						"org.example:example-dependency:1.7.30",
+					},
+				},
+				{
+					ID: "org.example:example-dependency:1.7.30",
+					DependsOn: []string{
+						"org.example:example-api:2.0.0",
+					},
+				},
+			},
+		},
 		{
 			name:      "transitive dependencyManagement should not be inherited",
 			inputFile: filepath.Join("testdata", "transitive-dependency-management", "pom.xml"),
diff --git a/pkg/dependency/parser/java/pom/pom.go b/pkg/dependency/parser/java/pom/pom.go
@@ -245,7 +245,7 @@ func (d pomDependency) Resolve(props map[string]string, depManagement, rootDepMa
 
 	// If this dependency is managed in the root POM,
 	// we need to overwrite fields according to the managed dependency.
-	if managed, found := findDep(d.Name(), rootDepManagement); found { // dependencyManagement from the root POM
+	if managed, found := findDep(dep.Name(), rootDepManagement); found { // dependencyManagement from the root POM
 		if managed.Version != "" {
 			dep.Version = evaluateVariable(managed.Version, props, nil)
 		}
@@ -264,7 +264,7 @@ func (d pomDependency) Resolve(props map[string]string, depManagement, rootDepMa
 	}
 
 	// Inherit version, scope and optional from dependencyManagement if empty
-	if managed, found := findDep(d.Name(), depManagement); found { // dependencyManagement from parent
+	if managed, found := findDep(dep.Name(), depManagement); found { // dependencyManagement from parent
 		if dep.Version == "" {
 			dep.Version = evaluateVariable(managed.Version, props, nil)
 		}
diff --git a/pkg/dependency/parser/java/pom/testdata/repository/org/example/example-dependency/1.7.30/example-dependency-1.7.30.pom b/pkg/dependency/parser/java/pom/testdata/repository/org/example/example-dependency/1.7.30/example-dependency-1.7.30.pom
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>org.example</groupId>
+    <artifactId>example-dependency</artifactId>
+    <version>1.7.30</version>
+
+    <dependencies>
+        <dependency>
+          <groupId>${project.groupId}</groupId>
+          <artifactId>example-api</artifactId>
+          <version>${project.version}</version>
+        </dependency>
+    </dependencies>
+
+</project>
diff --git a/pkg/dependency/parser/java/pom/testdata/root-pom-dep-management-for-deps-with-project-props/pom.xml b/pkg/dependency/parser/java/pom/testdata/root-pom-dep-management-for-deps-with-project-props/pom.xml
@@ -0,0 +1,28 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>com.example</groupId>
+    <artifactId>root-pom-dep-management-for-deps-with-project-props</artifactId>
+    <version>1.0.0</version>
+    <packaging>pom</packaging>
+
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>org.example</groupId>
+                <artifactId>example-api</artifactId>
+                <version>2.0.0</version>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.example</groupId>
+            <artifactId>example-dependency</artifactId>
+            <version>1.7.30</version>
+        </dependency>
+    </dependencies>
+
+</project>

Original file line number	Diff line number	Diff line change
`@@ -245,7 +245,7 @@ func (d pomDependency) Resolve(props map[string]string, depManagement, rootDepMa`
`245`	`245`
`246`	`246`	`// If this dependency is managed in the root POM,`
`247`	`247`	`// we need to overwrite fields according to the managed dependency.`
`248`		`- if managed, found := findDep(d.Name(), rootDepManagement); found { // dependencyManagement from the root POM`
	`248`	`+ if managed, found := findDep(dep.Name(), rootDepManagement); found { // dependencyManagement from the root POM`
`249`	`249`	`if managed.Version != "" {`
`250`	`250`	`dep.Version = evaluateVariable(managed.Version, props, nil)`
`251`	`251`	`}`
`@@ -264,7 +264,7 @@ func (d pomDependency) Resolve(props map[string]string, depManagement, rootDepMa`
`264`	`264`	`}`
`265`	`265`
`266`	`266`	`// Inherit version, scope and optional from dependencyManagement if empty`
`267`		`- if managed, found := findDep(d.Name(), depManagement); found { // dependencyManagement from parent`
	`267`	`+ if managed, found := findDep(dep.Name(), depManagement); found { // dependencyManagement from parent`
`268`	`268`	`if dep.Version == "" {`
`269`	`269`	`dep.Version = evaluateVariable(managed.Version, props, nil)`
`270`	`270`	`}`