Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(java): Adding the ability to find properties in maven profiles (activeByDefa… #7298

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

feat(java): Adding the ability to find properties in maven profiles (activeByDefa… #7298

wants to merge 1 commit into from

Conversation

coheigea
Copy link
Contributor

@coheigea coheigea commented Aug 2, 2024

…ult only)

Currently Trivy is not capable of parsing properties in Maven profiles. It is a pretty common scenario to have different versions of the same dependency in multiple maven profiles, e.g. maybe to support different framework versions with a product.

 <profiles>
        <profile>
            <id>avro</id>
            <properties>
                <avro.version>1.7.4</avro.version>
            </properties>
            <activation>
                <activeByDefault>true</activeByDefault>
            </activation>
        </profile>
    </profiles>

    <dependencies>

        <dependency>
            <groupId>org.apache.avro</groupId>
            <artifactId>avro</artifactId>
            <version>${avro.version}</version>
        </dependency>

    </dependencies>

This PR adds the ability to find properties in a maven profile, but only if it's "activeByDefault". It's impossible to determine otherwise activation properties of maven.

@DmitriyLewen PTAL and let me know if you approve the general approach and I'll add tests.

@coheigea coheigea marked this pull request as draft August 2, 2024 08:52
@coheigea coheigea force-pushed the coheigea/maven-profile-properties branch from 3405bd6 to 7ef4f0e Compare August 2, 2024 09:51
@coheigea
Copy link
Contributor Author

@DmitriyLewen reminder on this please

@knqyf263
Copy link
Collaborator

@coheigea He is on vacation.
#7303

DmitriyLewen
DmitriyLewen reviewed Aug 20, 2024
View reviewed changes
Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@coheigea Thanks for your help with java!
Sorry for delay.

It looks good to me.
I left couple comments about priority.

pkg/dependency/parser/java/pom/pom.go
Comment on lines 46 to 48
props := p.content.Properties
props = utils.MergeMaps(props, p.profileProperties())
return utils.MergeMaps(props, p.projectProperties())
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maven documentation is not always accurate.
we need to check what priority mvn has for properties

pkg/dependency/parser/java/pom/pom.go
Comment on lines +81 to +88
profiles := p.content.Profiles
logger := log.WithPrefix("pom")

projectProperties := make(map[string]string)
for _, profile := range profiles.Profile {
activation := profile.Activation
if activation.ActiveByDefault == enabled {
logger.Debug("Adding properties from profile", log.String("id", profile.ID))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit:
We may not create a new variable every time

Suggested change
profiles := p.content.Profiles
logger := log.WithPrefix("pom")
projectProperties := make(map[string]string)
for _, profile := range profiles.Profile {
activation := profile.Activation
if activation.ActiveByDefault == enabled {
logger.Debug("Adding properties from profile", log.String("id", profile.ID))
projectProperties := make(map[string]string)
for _, profile := range p.content.Profiles.Profile {
if profile.Activation.ActiveByDefault == enabled {
log.WithPrefix("pom").Debug("Adding properties from profile", log.String("id", profile.ID))

pkg/dependency/parser/java/pom/pom.go
Comment on lines +90 to +92
for k, v := range profile.Properties {
projectProperties[k] = v
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If 2 profiles contains same variable:

  1. does mvn overwrite value?
  2. does mvn use 1 found value?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DmitriyLewen DmitriyLewen DmitriyLewen left review comments

@knqyf263 knqyf263 Awaiting requested review from knqyf263 knqyf263 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@coheigea @knqyf263 @DmitriyLewen