diff --git a/pkg/dependency/parser/java/pom/parse_test.go b/pkg/dependency/parser/java/pom/parse_test.go index 15740d599eb9..47ad1acce0c2 100644 --- a/pkg/dependency/parser/java/pom/parse_test.go +++ b/pkg/dependency/parser/java/pom/parse_test.go @@ -979,6 +979,46 @@ func TestPom_Parse(t *testing.T) { }, }, }, + { + name: "exclusions in child and parent dependency management", + inputFile: filepath.Join("testdata", "exclusions-parent-dependency-management", "child", "pom.xml"), + local: true, + want: []ftypes.Package{ + { + ID: "com.example:child:3.0.0", + Name: "com.example:child", + Version: "3.0.0", + Licenses: []string{"Apache 2.0"}, + Relationship: ftypes.RelationshipRoot, + }, + { + ID: "org.example:example-nested:3.3.3", + Name: "org.example:example-nested", + Version: "3.3.3", + Relationship: ftypes.RelationshipDirect, + }, + { + ID: "org.example:example-dependency:1.2.3", + Name: "org.example:example-dependency", + Version: "1.2.3", + Relationship: ftypes.RelationshipIndirect, + }, + }, + wantDeps: []ftypes.Dependency{ + { + ID: "com.example:exclusions:3.0.0", + DependsOn: []string{ + "org.example:example-nested:3.3.3", + }, + }, + { + ID: "org.example:example-nested:3.3.3", + DependsOn: []string{ + "org.example:example-dependency:1.2.3", + }, + }, + }, + }, { name: "exclusions with wildcards", inputFile: filepath.Join("testdata", "wildcard-exclusions", "pom.xml"), diff --git a/pkg/dependency/parser/java/pom/pom.go b/pkg/dependency/parser/java/pom/pom.go index 3a0170d36811..889d107c3c6c 100644 --- a/pkg/dependency/parser/java/pom/pom.go +++ b/pkg/dependency/parser/java/pom/pom.go @@ -266,9 +266,8 @@ func (d pomDependency) Resolve(props map[string]string, depManagement, rootDepMa if !dep.Optional { dep.Optional = managed.Optional } - if len(dep.Exclusions.Exclusion) == 0 { - dep.Exclusions = managed.Exclusions - } + // `mvn` always merges exceptions for pom and parent + dep.Exclusions.Exclusion = append(dep.Exclusions.Exclusion, managed.Exclusions.Exclusion...) } return dep } diff --git a/pkg/dependency/parser/java/pom/testdata/exclusions-parent-dependency-management/child/pom.xml b/pkg/dependency/parser/java/pom/testdata/exclusions-parent-dependency-management/child/pom.xml new file mode 100644 index 000000000000..acec708b691a --- /dev/null +++ b/pkg/dependency/parser/java/pom/testdata/exclusions-parent-dependency-management/child/pom.xml @@ -0,0 +1,38 @@ + + 4.0.0 + + child + 3.0.0 + + child + Child + + + com.example + parent + 2.0.0 + + + + + Apache 2.0 + http://www.apache.org/licenses/LICENSE-2.0.html + repo + + + + + + org.example + example-nested + + + org.example + example-api-common + + + + + + diff --git a/pkg/dependency/parser/java/pom/testdata/exclusions-parent-dependency-management/pom.xml b/pkg/dependency/parser/java/pom/testdata/exclusions-parent-dependency-management/pom.xml new file mode 100644 index 000000000000..5735825405b0 --- /dev/null +++ b/pkg/dependency/parser/java/pom/testdata/exclusions-parent-dependency-management/pom.xml @@ -0,0 +1,37 @@ + + 4.0.0 + + com.example + parent + 2.0.0 + + pom + parent + Parent + + + + Apache 2.0 + http://www.apache.org/licenses/LICENSE-2.0.html + repo + + + + + + + org.example + example-nested + 3.3.3 + + + org.example + example-api + + + + + + +