Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Transitive dependency support for Maven pom.xml #1002

Merged
merged 1 commit into from
May 31, 2024
Merged

Transitive dependency support for Maven pom.xml #1002

merged 1 commit into from
May 31, 2024

Conversation

cuixq
Copy link
Contributor

@cuixq cuixq commented May 29, 2024

Issue #35

In this PR, the new Maven extractor invokes Maven resolver to compute the transitive dependencies of a Maven pom.xml.

Since managed dependencies are not actually being depended on, they are not in the resolved dependency graph, and thus they are not included in the scan results.

@codecov-commenter
Copy link

codecov-commenter commented May 29, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 97.95918% with 1 lines in your changes are missing coverage. Please review.

Project coverage is 65.06%. Comparing base (804589a) to head (dc901f4).
Report is 3 commits behind head on main.

Files Patch % Lines
internal/manifest/maven.go 97.95% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1002      +/-   ##
==========================================
+ Coverage   64.47%   65.06%   +0.59%     
==========================================
  Files         148      149       +1     
  Lines       12088    12250     +162     
==========================================
+ Hits         7794     7971     +177     
+ Misses       3843     3832      -11     
+ Partials      451      447       -4

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

cuixq
cuixq commented May 29, 2024
View reviewed changes
internal/manifest/fixtures/maven/with-scope.xml
<dependencies>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.12</version>
<scope>test</scope>
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@michaelkedar I think we should fix the resolver not to ignore test dependencies. junit:junit is not in the resolve graph. :(

another-rex
another-rex approved these changes May 31, 2024
View reviewed changes
Copy link
Collaborator

@another-rex another-rex left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@cuixq cuixq merged commit f2a30a8 into google:main May 31, 2024
13 checks passed
@cuixq cuixq deleted the maven branch May 31, 2024 07:55
josieang pushed a commit to josieang/osv-scanner that referenced this pull request Jun 6, 2024
@cuixq @josieang
Transitive dependency support for Maven pom.xml (google#1002)
3a46c0d 
Issue google#35

In this PR, the new Maven extractor invokes Maven resolver to compute
the transitive dependencies of a Maven pom.xml.

Since managed dependencies are not actually being depended on, they are
not in the resolved dependency graph, and thus they are not included in
the scan results.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michaelkedar michaelkedar michaelkedar approved these changes

@another-rex another-rex another-rex approved these changes

@oliverchang oliverchang Awaiting requested review from oliverchang

@G-Rath G-Rath Awaiting requested review from G-Rath

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@cuixq @codecov-commenter @michaelkedar @another-rex