fix(java): update logic to detect pom.xml file snapshot artifacts from remote repositories
#6412
Conversation
- divide remote repositories into releases and snapshots - detect snapshots from the artifact version
|
This change looks awesome! I have one question.
What is |
|
IIUC Take a look this Downloading from sonatype-nexus-snapshots: https://oss.sonatype.org/content/repositories/snapshots/com/fasterxml/jackson/core/jackson-annotations/2.17.0-SNAPSHOT/maven-metadata.xml
Downloaded from sonatype-nexus-snapshots: https://oss.sonatype.org/content/repositories/snapshots/com/fasterxml/jackson/core/jackson-annotations/2.17.0-SNAPSHOT/maven-metadata.xml (1.2 kB at 171 B/s)
Downloading from sonatype-nexus-snapshots: https://oss.sonatype.org/content/repositories/snapshots/com/fasterxml/jackson/core/jackson-annotations/2.17.0-SNAPSHOT/jackson-annotations-2.17.0-20240312.035235-10.pom
Downloaded from sonatype-nexus-snapshots: https://oss.sonatype.org/content/repositories/snapshots/com/fasterxml/jackson/core/jackson-annotations/2.17.0-SNAPSHOT/jackson-annotations-2.17.0-20240312.035235-10.pom (7.0 kB at 33 kB/s)
Downloading from central: https://repo.maven.apache.org/maven2/com/fasterxml/jackson/jackson-parent/2.17/jackson-parent-2.17.pom
Downloaded from central: https://repo.maven.apache.org/maven2/com/fasterxml/jackson/jackson-parent/2.17/jackson-parent-2.17.pom (6.5 kB at 22 kB/s)mvn checks https://oss.sonatype.org/content/repositories/snapshots/com/fasterxml/jackson/core/jackson-annotations/2.17.0-SNAPSHOT/maven-metadata.xml -> takes version for pom ( |
|
Thanks for explaining. I got it. So, it sounds like we also need to fetch trivy/pkg/dependency/parser/java/pom/parse.go Lines 651 to 660 in 6c19ae7 |
|
I don't have much experience with custom repositories.
I thought I'd add this to another PR. But I can do it in this PR. |
I asked about snapshot repositories since the structure seems different from that of release repositories. We just replace URLs here even for snapshots. But it's ok if you work on it in another PR. |
|
When the artifact is |
|
Anyway, it's not a bug from this PR. I'll merge this one, and we'll implement the snapshot logic later. |
UPD: Downloading from sonatype-nexus-snapshots: https://oss.sonatype.org/content/repositories/snapshots/com/fasterxml/jackson/core/jackson-databind/2.17.012341-SNAPSHOT/maven-metadata.xml
Downloading from sonatype-nexus-snapshots: https://oss.sonatype.org/content/repositories/snapshots/com/fasterxml/jackson/core/jackson-databind/2.17.012341-SNAPSHOT/jackson-databind-2.17.012341-SNAPSHOT.pom
[WARNING] The POM for com.fasterxml.jackson.core:jackson-databind:jar:2.17.012341-SNAPSHOT is missing, no dependency information available
Downloading from sonatype-nexus-snapshots: https://oss.sonatype.org/content/repositories/snapshots/com/fasterxml/jackson/core/jackson-databind/2.17.012341-SNAPSHOT/jackson-databind-2.17.012341-SNAPSHOT.jar
|
|
So, Trivy currently accesses the following URL and fails as it's 404. In short, Trivy tries snapshot repositories and most likely fails because Trivy doesn't support |
if the repository uses thus |
|
I randomly picked up some artifacts in the snapshot repository. All of them use Is it possible that a snapshot repository doesn't use |
|
as i wrote in #6412 (comment): |
…rom remote repositories (#6412)
…rom remote repositories (aquasecurity#6412)
Description
Maven splits release and snapshot repositories - https://github.com/apache/maven/blob/286304701402230299fe05ee889ecdf1c9dae816/maven-core/src/main/java/org/apache/maven/project/MavenProject.java#L144-L146.
Maven uses snapshot remote repos for snapshot artifacts1 and release remote repos maven central for other artifacts:
We need reproduce this logic:
metadata.xml->*.pom)*.pom)Tests with
mvnandtrivy:snapshot version snapshot repo enable
test pom.xml file:mvn (
jackson-annotationsis child dependency ofjackson-databind):➜ 6355 mvn dependency:resolve | grep jackson-annotations Downloading from sonatype-nexus-snapshots: https://oss.sonatype.org/content/repositories/snapshots/com/fasterxml/jackson/core/jackson-annotations/2.17.0-SNAPSHOT/maven-metadata.xml Downloaded from sonatype-nexus-snapshots: https://oss.sonatype.org/content/repositories/snapshots/com/fasterxml/jackson/core/jackson-annotations/2.17.0-SNAPSHOT/maven-metadata.xml (1.2 kB at 7.3 kB/s) Downloading from sonatype-nexus-snapshots: https://oss.sonatype.org/content/repositories/snapshots/com/fasterxml/jackson/core/jackson-annotations/2.17.0-SNAPSHOT/jackson-annotations-2.17.0-20240312.035235-10.pom Downloaded from sonatype-nexus-snapshots: https://oss.sonatype.org/content/repositories/snapshots/com/fasterxml/jackson/core/jackson-annotations/2.17.0-SNAPSHOT/jackson-annotations-2.17.0-20240312.035235-10.pom (7.0 kB at 42 kB/s) Downloading from sonatype-nexus-snapshots: https://oss.sonatype.org/content/repositories/snapshots/com/fasterxml/jackson/core/jackson-annotations/2.17.0-SNAPSHOT/jackson-annotations-2.17.0-20240312.035235-10.jar Downloaded from sonatype-nexus-snapshots: https://oss.sonatype.org/content/repositories/snapshots/com/fasterxml/jackson/core/jackson-annotations/2.17.0-SNAPSHOT/jackson-annotations-2.17.0-20240312.035235-10.jar (79 kB at 454 kB/s) [INFO] com.fasterxml.jackson.core:jackson-annotations:jar:2.17.0-SNAPSHOT:compile -- module com.fasterxml.jackson.annotationtrivy (need add logic for metadata.xml):
➜ ./trivy -d fs pom.xml | grep jackson-databind ... 2024-03-29T09:32:49.948 0600 DEBUG Resolving com.fasterxml.jackson.core:jackson-databind:2.17.0-SNAPSHOT... 2024-03-29T09:32:53.265 0600 DEBUG Failed to fetch from oss.sonatype.org/content/repositories/snapshots/com/fasterxml/jackson/core/jackson-databind/2.17.0-SNAPSHOT/jackson-databind-2.17.0-SNAPSHOT.pomsnapshot version (maven central contains this version) repositories disable
!!! This test shows that maven doesn't check central for snapshots.
test pom.xml file (https://repo.maven.apache.org/maven2/ai/kassette/kassette-java-sdk/1.0.4-SNAPSHOT/kassette-java-sdk-1.0.4-SNAPSHOT.pom):
mvn:
trivy:
➜ ./trivy -d fs pom.xml 2024-03-29T09:42:57.580 0600 DEBUG Resolving ai.kassette:kassette-java-sdk:1.0.4-SNAPSHOT... 2024-03-29T09:42:57.580 0600 DEBUG ai.kassette:kassette-java-sdk:1.0.4-SNAPSHOT was not found in local/remote repositoriesrelease version release repository enable
!!! This test shows that maven checks repositories from pom file before maven central
test pom.xml file:
mvn:
trivy:
Changes for another PR:
Maven uses
metadata.xmlfile to find*.pomfile forsnapshots.e.g. (https://oss.sonatype.org/content/repositories/snapshots/com/fasterxml/jackson/core/jackson-annotations/2.17.0-SNAPSHOT/):
Related issues
Related PRs
Checklist
Footnotes
Maven detects snapshot artifacts by artifact version - https://github.com/apache/maven/blob/286304701402230299fe05ee889ecdf1c9dae816/maven-artifact/src/main/java/org/apache/maven/artifact/DefaultArtifact.java#L482-L486 ↩