Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Better support for profiles in transitive Maven pom.xmls #463

Open
michaelkedar opened this issue Sep 11, 2024 · 3 comments
Open

Better support for profiles in transitive Maven pom.xmls #463

michaelkedar opened this issue Sep 11, 2024 · 3 comments
Labels
enhancement New feature or request

Comments

@michaelkedar
Copy link
Member

michaelkedar commented Sep 11, 2024
edited
Loading

Edit: I've transferred this issue from osv-scanner, since the relevant logic would now live here.

osv-scanner scan would correspond to the pomxmlnet Extractor. osv-scanner fix is the guided remediation feature.

Currently, osv-scanner scan does not activate any Maven profiles(?), and osv-scanner fix activates only profiles that are explicitly active by default.

For better profile support, we could:

  • Activate profiles that would naturally be activated (e.g. if the activation depends on a property)
  • Have a way for the user to give us the active profiles (analogous mvn's --activate-profiles/-P flag)
    • Related: possibly have something analogous to mvn's --define/-D flag to define properties outside of the pom.xml file
  • Figure out a way for getting/setting the JDK & OS versions for profile activation.
@michaelkedar michaelkedar added the enhancement New feature or request label Sep 11, 2024
@cuixq
Copy link
Collaborator

cuixq commented Sep 11, 2024

Ah - good spot on scan! I think default profiles are activated during merging parents but not the base project - we should fix this.

@michaelkedar
Copy link
Member Author

There's another related issue in osv-scanner fix with writing patches to profiles only applying to the first one in the list:

e.g.

<dependencies>
  <dependency>
    <groupId>com.xyz</groupId>
    <artifactId>foo</artifactId>
  </dependency>
</dependencies>

<profiles>
  <profile>
    <id>profile1</id> <!-- this profile is not active -->
    <activation>
      <activeByDefault>false</activeByDefault>
    </activation>
    <dependencyManagement>
      <dependencies>
        <dependency>
          <groupId>com.xyz</groupId>
          <artifactId>foo</artifactId>
          <version>1.0.1</version>
        </dependency>
      </dependencies>
    </dependencyManagement>
  </profile>
  
  <profile>
    <id>profile2</id> <!-- this profile is active -->
    <activation>
      <activeByDefault>true</activeByDefault>
    </activation>
    <dependencyManagement>
      <dependencies>
        <dependency>
          <groupId>com.xyz</groupId>
          <artifactId>foo</artifactId>
          <version>1.0.2</version>
        </dependency>
      </dependencies>
    </dependencyManagement>
  </profile>
</profiles>

gets patched to

<dependencies>
  <dependency>
    <groupId>com.xyz</groupId>
    <artifactId>foo</artifactId>
  </dependency>
</dependencies>

<profiles>
  <profile>
    <id>profile1</id>
    <activation>
      <activeByDefault>false</activeByDefault>
    </activation>
    <dependencyManagement>
      <dependencies>
        <dependency>
          <groupId>com.xyz</groupId>
          <artifactId>foo</artifactId>
          <version>2.0.0</version> <!-- Only this version is changed -->
        </dependency>
      </dependencies>
    </dependencyManagement>
  </profile>
  
  <profile>
    <id>profile2</id>
    <activation>
      <activeByDefault>true</activeByDefault>
    </activation>
    <dependencyManagement>
      <dependencies>
        <dependency>
          <groupId>com.xyz</groupId>
          <artifactId>foo</artifactId>
          <version>1.0.2</version> <!-- The version in the activated profile doesn't get patched -->
        </dependency>
      </dependencies>
    </dependencyManagement>
  </profile>
</profiles>

If there's also a dependencyManagement for the package outside of the profiles, that is the only thing that gets patched despite being overwritten by the profiles.

@michaelkedar michaelkedar changed the title Support profile activation in Maven pom.xml resolution Support profile activation in Maven pom.xml resolution and writing Sep 12, 2024
@michaelkedar michaelkedar mentioned this issue Sep 12, 2024
Merged
@github-actions GitHub Actions
Copy link

This issue has not had any activity for 60 days and will be automatically closed in two weeks

See https://github.com/google/osv-scanner/blob/main/CONTRIBUTING.md for how to contribute a PR if you're interested in helping out.

@cuixq cuixq mentioned this issue Jan 21, 2025
Merged
@michaelkedar michaelkedar transferred this issue from google/osv-scanner Feb 14, 2025
@michaelkedar michaelkedar changed the title Support profile activation in Maven pom.xml resolution and writing Better support for profiles in transitive Maven pom.xmls Feb 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@michaelkedar @cuixq