feat(java): add graph support for pom.xml (#4902)

* add graph support * update docs * bump go-dep-parser * remove replace for go-dep-parser * update docs
aquasecurity · Aug 30, 2023 · 4401998 · 4401998
1 parent 9c211d0
commit 4401998
Show file tree

Hide file tree

Showing 6 changed files with 11 additions and 4 deletions.
diff --git a/docs/docs/configuration/reporting.md b/docs/docs/configuration/reporting.md
@@ -62,6 +62,8 @@ The following packages/languages are currently supported:
     - Modules: go.mod
 - PHP
     - Composer
+- Java
+    - Maven: pom.xml
 
 This tree is the reverse of the npm list command.
 However, if you want to resolve a vulnerability in a particular indirect dependency, the reversed tree is useful to know where that dependency comes from and identify which package you actually need to update.

diff --git a/docs/docs/coverage/language/java.md b/docs/docs/coverage/language/java.md
@@ -14,7 +14,7 @@ The following table provides an outline of the features Trivy offers.
 | Artifact         |    Internet access    | Dev dependencies | [Dependency graph][dependency-graph] |
 |------------------|:---------------------:|:----------------:|:------------------------------------:|
 | JAR/WAR/PAR/EAR  |     Trivy Java DB     |     Include      |                  -                   |
-| pom.xml          | Maven repository [^1] |     Exclude      |                  -                   |
+| pom.xml          | Maven repository [^1] |     Exclude      |                  ✓                   |
 | *gradle.lockfile |           -           |     Exclude      |                  -                   |
 
 These may be enabled or disabled depending on the target.

diff --git a/go.mod b/go.mod
@@ -14,7 +14,7 @@ require (
 	github.com/alicebob/miniredis/v2 v2.30.4
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
 	github.com/aquasecurity/defsec v0.91.1
-	github.com/aquasecurity/go-dep-parser v0.0.0-20230825043456-df72a286b673
+	github.com/aquasecurity/go-dep-parser v0.0.0-20230828120518-ef5e9409fc43
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
 	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46

diff --git a/go.sum b/go.sum
@@ -325,8 +325,8 @@ github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
 github.com/aquasecurity/defsec v0.91.1 h1:dBIPm6Tva9I+ZTQv+6t9wob3ZlMSu8NFqMJr4mgJC5A=
 github.com/aquasecurity/defsec v0.91.1/go.mod h1:l/srzxtuuyb6c6FlqUvMp3xw2ZbvuZ0l9972MNJM7V8=
-github.com/aquasecurity/go-dep-parser v0.0.0-20230825043456-df72a286b673 h1:RMhUzr2ZfQ8OAO26aUkqbwfxK7d3ieFtPqUhiwTxOe0=
-github.com/aquasecurity/go-dep-parser v0.0.0-20230825043456-df72a286b673/go.mod h1:0+GvQF0gL4YEAAUPpNeLeGpFDxMvvIHLMd7vk9bpwko=
+github.com/aquasecurity/go-dep-parser v0.0.0-20230828120518-ef5e9409fc43 h1:/F4aNnwyFNyAemjKtHznfRdeWUEENOZYOnx+smPPpAE=
+github.com/aquasecurity/go-dep-parser v0.0.0-20230828120518-ef5e9409fc43/go.mod h1:0+GvQF0gL4YEAAUPpNeLeGpFDxMvvIHLMd7vk9bpwko=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce/go.mod h1:HXgVzOPvXhVGLJs4ZKO817idqr/xhwsTcj17CLYY74s=
 github.com/aquasecurity/go-mock-aws v0.0.0-20230328195059-5bf52338aec3 h1:Vt9y1gZS5JGY3tsL9zc++Cg4ofX51CG7PaMyC5SXWPg=

diff --git a/integration/testdata/pom.json.golden b/integration/testdata/pom.json.golden
@@ -22,6 +22,7 @@
       "Vulnerabilities": [
         {
           "VulnerabilityID": "CVE-2020-9548",
+          "PkgID": "com.fasterxml.jackson.core:jackson-databind:2.9.1",
           "PkgName": "com.fasterxml.jackson.core:jackson-databind",
           "InstalledVersion": "2.9.1",
           "FixedVersion": "2.9.10.4",
@@ -78,6 +79,7 @@
         },
         {
           "VulnerabilityID": "CVE-2021-20190",
+          "PkgID": "com.fasterxml.jackson.core:jackson-databind:2.9.1",
           "PkgName": "com.fasterxml.jackson.core:jackson-databind",
           "InstalledVersion": "2.9.1",
           "FixedVersion": "2.9.10.7",

diff --git a/pkg/fanal/analyzer/language/java/pom/pom_test.go b/pkg/fanal/analyzer/language/java/pom/pom_test.go
@@ -31,6 +31,7 @@ func Test_pomAnalyzer_Analyze(t *testing.T) {
 						FilePath: "testdata/happy/pom.xml",
 						Libraries: types.Packages{
 							{
+								ID:       "com.example:example:1.0.0",
 								Name:     "com.example:example",
 								Version:  "1.0.0",
 								Licenses: []string{"Apache-2.0"},
@@ -51,6 +52,7 @@ func Test_pomAnalyzer_Analyze(t *testing.T) {
 						FilePath: "pom.xml",
 						Libraries: types.Packages{
 							{
+								ID:       "com.example:example:1.0.0",
 								Name:     "com.example:example",
 								Version:  "1.0.0",
 								Licenses: []string{"Apache-2.0"},
@@ -70,6 +72,7 @@ func Test_pomAnalyzer_Analyze(t *testing.T) {
 						FilePath: "testdata/requirements/pom.xml",
 						Libraries: types.Packages{
 							{
+								ID:       "com.example:example:2.0.0",
 								Name:     "com.example:example",
 								Version:  "2.0.0",
 								Licenses: []string{"Apache-2.0"},