Skip to content

Maven versions still blank in syft output when using specific search context #3207

New issue
New issue
Closed as not planned
Closed as not planned
Maven versions still blank in syft output when using specific search context#3207
Labels
bugSomething isn't working
@rvesse

Description

@rvesse
rvesse
opened on Sep 9, 2024

What happened:

Trying to use syft to generate a SBOM from a Maven pom.xml still does not correctly detect some dependency versions despite recent improvements from #2769

In particular this seems to be triggered when a dependency is declared with a version in <dependencyManagement> (often in a parent pom.xml) and then declared without a version in a child modules pom.xml where that dependency is actually being consumed

For example using the repository https://github.com/telicent-oss/smart-caches-core

$ syft file:jaxrs-base-server/pom.xml 
 ✔ Indexed file system                                                   jaxrs-base-server
 ✔ Cataloged contents                                                             52adcddfdc0452dbe1fc094084d91218ae001c1ac23159753ef4ed6e16fd5c00
   ├── ✔ Packages                        [20 packages]  
   └── ✔ Executables                     [0 executables]  
NAME                               VERSION          TYPE           
commons-lang3                                       java-archive    
configurator                       0.22.1-SNAPSHOT  java-archive    
jackson-annotations                                 java-archive    
jakarta.inject-api                                  java-archive    
jakarta.servlet-api                                 java-archive    
jersey-bean-validation                              java-archive    
jersey-client                                       java-archive    
jersey-container-grizzly2-servlet                   java-archive    
jersey-hk2                                          java-archive    
jersey-media-json-jackson                           java-archive    
jul-to-slf4j                                        java-archive    
jwt-auth-common                    0.22.1-SNAPSHOT  java-archive    
jwt-servlet-auth-core                               java-archive    
jwt-servlet-auth-jaxrs3                             java-archive    
logback-classic                                     java-archive    
mockito-core                                        java-archive    
observability-core                 0.22.1-SNAPSHOT  java-archive    
rdf-abac-core                                       java-archive    
slf4j-api                                           java-archive    
testng                                              java-archive

What you expected to happen:

All the dependencies should have their versions correctly detected since they are all declared in the <dependencyManagement> section of the top level pom.xml in that repository.

Steps to reproduce the issue:

$ git clone https://github.com/telicent-oss/smart-caches-core.git
$ syft file:jaxrs-base-server/pom.xml

Environment:

  • Output of syft version:

    Application: syft
    Version: 1.11.1
    BuildDate: 2024-08-20T15:45:33Z
    GitCommit: Homebrew
    GitDescription: [not provided]
    Platform: darwin/arm64
    GoVersion: go1.23.0
    Compiler: gc

  • OS (e.g: cat /etc/os-release or similar): macOS Ventura

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    OSS

    Status

    Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions