Pom parser not resolving all dependency versions #2776
Description
What happened:
When running syft on a Java project, some variables are returted as package versions without being evaluated.
✔ Indexed file system .
✔ Cataloged contents cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
├── ✔ Packages [17 packages]
└── ✔ Executables [0 executables]
[0000] WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
NAME VERSION TYPE
caffeine ${caffeine.version} java-archive
easy-random-core-jdk11 6.1.2 java-archive
easy-random-randomizers-jdk11 6.1.2 java-archive
kotlin-test-junit5 1.9.20 java-archive
mng-authentication-interceptor 1.0.2 java-archive
mng-spring-boot-starter-error-log 0.0.1 java-archive
mockk-jvm 1.13.8 java-archive
spring-boot-starter-actuator ${project.parent.version} java-archive
spring-boot-starter-cache 3.2.4 java-archive
spring-boot-starter-data-mongodb ${project.parent.version} java-archive
spring-boot-starter-security ${project.parent.version} java-archive
spring-boot-starter-test ${project.parent.version} java-archive
spring-boot-starter-validation ${project.parent.version} java-archive
spring-boot-starter-web ${project.parent.version} java-archive
spring-cloud-starter-openfeign 4.1.0 java-archive
springdoc-openapi-starter-webmvc-ui 2.3.0 java-archive
springmockk 3.1.1 java-archive
What you expected to happen:
All dependency versions should be resolved
Steps to reproduce the issue:
git clone https://github.com/willyw0nka/spring-boot-empty-project.git
syft spring-boot-empty-projectAnything else we need to know?:
The unresolved versions needed to be evaulated twice, but syft only evaluated them once. For example, in the project I tested the org.springframework.boot version is ${springboot.version} which resolves to ${project.parent.version} which then resolves to 3.2.4. Syft only evaluated the version once so the result is ${project.parent.version}.
This is the code responsible for resolving the packages version. Checking if version contains $ to call this recursively would solve the issue.
syft/syft/pkg/cataloger/java/parse_pom_xml.go
Line 113 in 21eaa5c
Environment:
- Output of
syft version:
Application: syft
Version: 1.1.1
BuildDate: 2024-04-04T14:52:45Z
GitCommit: 1e31356c49bf2c30fd80c833482e1fbe4133ff83
GitDescription: v1.1.1
Platform: linux/amd64
GoVersion: go1.21.8
Compiler: gc
- OS (e.g:
cat /etc/os-releaseor similar):
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.19.1
PRETTY_NAME="Alpine Linux v3.19"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://gitlab.alpinelinux.org/alpine/aports/-/issues"
Metadata
Metadata
Assignees
Labels
Type
Projects
Status