-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(java): update logic to detect pom.xml
file snapshot artifacts from remote repositories
#6412
fix(java): update logic to detect pom.xml
file snapshot artifacts from remote repositories
#6412
Conversation
- divide remote repositories into releases and snapshots - detect snapshots from the artifact version
This change looks awesome! I have one question.
What is |
IIUC Take a look this Downloading from sonatype-nexus-snapshots: https://oss.sonatype.org/content/repositories/snapshots/com/fasterxml/jackson/core/jackson-annotations/2.17.0-SNAPSHOT/maven-metadata.xml
Downloaded from sonatype-nexus-snapshots: https://oss.sonatype.org/content/repositories/snapshots/com/fasterxml/jackson/core/jackson-annotations/2.17.0-SNAPSHOT/maven-metadata.xml (1.2 kB at 171 B/s)
Downloading from sonatype-nexus-snapshots: https://oss.sonatype.org/content/repositories/snapshots/com/fasterxml/jackson/core/jackson-annotations/2.17.0-SNAPSHOT/jackson-annotations-2.17.0-20240312.035235-10.pom
Downloaded from sonatype-nexus-snapshots: https://oss.sonatype.org/content/repositories/snapshots/com/fasterxml/jackson/core/jackson-annotations/2.17.0-SNAPSHOT/jackson-annotations-2.17.0-20240312.035235-10.pom (7.0 kB at 33 kB/s)
Downloading from central: https://repo.maven.apache.org/maven2/com/fasterxml/jackson/jackson-parent/2.17/jackson-parent-2.17.pom
Downloaded from central: https://repo.maven.apache.org/maven2/com/fasterxml/jackson/jackson-parent/2.17/jackson-parent-2.17.pom (6.5 kB at 22 kB/s) mvn checks https://oss.sonatype.org/content/repositories/snapshots/com/fasterxml/jackson/core/jackson-annotations/2.17.0-SNAPSHOT/maven-metadata.xml -> takes version for pom ( |
Thanks for explaining. I got it. So, it sounds like we also need to fetch trivy/pkg/dependency/parser/java/pom/parse.go Lines 651 to 660 in 6c19ae7
|
I don't have much experience with custom repositories.
I thought I'd add this to another PR. But I can do it in this PR. |
I asked about snapshot repositories since the structure seems different from that of release repositories. We just replace URLs here even for snapshots. But it's ok if you work on it in another PR. |
When the artifact is |
Anyway, it's not a bug from this PR. I'll merge this one, and we'll implement the snapshot logic later. |
UPD: Downloading from sonatype-nexus-snapshots: https://oss.sonatype.org/content/repositories/snapshots/com/fasterxml/jackson/core/jackson-databind/2.17.012341-SNAPSHOT/maven-metadata.xml
Downloading from sonatype-nexus-snapshots: https://oss.sonatype.org/content/repositories/snapshots/com/fasterxml/jackson/core/jackson-databind/2.17.012341-SNAPSHOT/jackson-databind-2.17.012341-SNAPSHOT.pom
[WARNING] The POM for com.fasterxml.jackson.core:jackson-databind:jar:2.17.012341-SNAPSHOT is missing, no dependency information available
Downloading from sonatype-nexus-snapshots: https://oss.sonatype.org/content/repositories/snapshots/com/fasterxml/jackson/core/jackson-databind/2.17.012341-SNAPSHOT/jackson-databind-2.17.012341-SNAPSHOT.jar
|
So, Trivy currently accesses the following URL and fails as it's 404. In short, Trivy tries snapshot repositories and most likely fails because Trivy doesn't support |
if the repository uses thus |
I randomly picked up some artifacts in the snapshot repository. All of them use Is it possible that a snapshot repository doesn't use |
as i wrote in #6412 (comment): |
…rom remote repositories (#6412)
…rom remote repositories (aquasecurity#6412)
Description
Maven splits release and snapshot repositories - https://github.com/apache/maven/blob/259404701402230299fe05ee889ecdf1c9dae816/maven-core/src/main/java/org/apache/maven/project/MavenProject.java#L144-L146.
Maven uses snapshot remote repos for snapshot artifacts1 and release remote repos + maven central for other artifacts:
We need reproduce this logic:
metadata.xml
->*.pom
)*.pom
)Tests with
mvn
andtrivy
:snapshot version + snapshot repo enable
test pom.xml file:mvn (
jackson-annotations
is child dependency ofjackson-databind
):➜ 6355 mvn dependency:resolve | grep jackson-annotations Downloading from sonatype-nexus-snapshots: https://oss.sonatype.org/content/repositories/snapshots/com/fasterxml/jackson/core/jackson-annotations/2.17.0-SNAPSHOT/maven-metadata.xml Downloaded from sonatype-nexus-snapshots: https://oss.sonatype.org/content/repositories/snapshots/com/fasterxml/jackson/core/jackson-annotations/2.17.0-SNAPSHOT/maven-metadata.xml (1.2 kB at 7.3 kB/s) Downloading from sonatype-nexus-snapshots: https://oss.sonatype.org/content/repositories/snapshots/com/fasterxml/jackson/core/jackson-annotations/2.17.0-SNAPSHOT/jackson-annotations-2.17.0-20240312.035235-10.pom Downloaded from sonatype-nexus-snapshots: https://oss.sonatype.org/content/repositories/snapshots/com/fasterxml/jackson/core/jackson-annotations/2.17.0-SNAPSHOT/jackson-annotations-2.17.0-20240312.035235-10.pom (7.0 kB at 42 kB/s) Downloading from sonatype-nexus-snapshots: https://oss.sonatype.org/content/repositories/snapshots/com/fasterxml/jackson/core/jackson-annotations/2.17.0-SNAPSHOT/jackson-annotations-2.17.0-20240312.035235-10.jar Downloaded from sonatype-nexus-snapshots: https://oss.sonatype.org/content/repositories/snapshots/com/fasterxml/jackson/core/jackson-annotations/2.17.0-SNAPSHOT/jackson-annotations-2.17.0-20240312.035235-10.jar (79 kB at 454 kB/s) [INFO] com.fasterxml.jackson.core:jackson-annotations:jar:2.17.0-SNAPSHOT:compile -- module com.fasterxml.jackson.annotation
trivy (need add logic for metadata.xml):
➜ ./trivy -d fs pom.xml | grep jackson-databind ... 2024-03-29T09:32:49.948+0600 DEBUG Resolving com.fasterxml.jackson.core:jackson-databind:2.17.0-SNAPSHOT... 2024-03-29T09:32:53.265+0600 DEBUG Failed to fetch from oss.sonatype.org/content/repositories/snapshots/com/fasterxml/jackson/core/jackson-databind/2.17.0-SNAPSHOT/jackson-databind-2.17.0-SNAPSHOT.pom
snapshot version (maven central contains this version) + repositories disable
!!! This test shows that maven doesn't check central for snapshots.
test pom.xml file (https://repo.maven.apache.org/maven2/ai/kassette/kassette-java-sdk/1.0.4-SNAPSHOT/kassette-java-sdk-1.0.4-SNAPSHOT.pom):
mvn:
trivy:
➜ ./trivy -d fs pom.xml 2024-03-29T09:42:57.580+0600 DEBUG Resolving ai.kassette:kassette-java-sdk:1.0.4-SNAPSHOT... 2024-03-29T09:42:57.580+0600 DEBUG ai.kassette:kassette-java-sdk:1.0.4-SNAPSHOT was not found in local/remote repositories
release version + release repository enable
!!! This test shows that maven checks repositories from pom file before maven central
test pom.xml file:
mvn:
trivy:
Changes for another PR:
Maven uses
metadata.xml
file to find*.pom
file forsnapshots
.e.g. (https://oss.sonatype.org/content/repositories/snapshots/com/fasterxml/jackson/core/jackson-annotations/2.17.0-SNAPSHOT/):
Related issues
Related PRs
Checklist
Footnotes
Maven detects snapshot artifacts by artifact version - https://github.com/apache/maven/blob/259404701402230299fe05ee889ecdf1c9dae816/maven-artifact/src/main/java/org/apache/maven/artifact/DefaultArtifact.java#L482-L486 ↩