Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Java dependency graph information #3363

Merged
merged 5 commits into from
Oct 23, 2024
Merged

feat: Java dependency graph information #3363

merged 5 commits into from
Oct 23, 2024

Conversation

kzantow
Copy link
Contributor

@kzantow kzantow commented Oct 21, 2024
edited
Loading

Description

This PR implements dependency graph information for Java packages. This applies primarily to these scenarios:

  • source scan of Java Maven-based projects, which now includes appropriate top-level and optionally, transitive dependency information
  • nested archive with embedded packages

For example: a user scanning a .war file with multiple embedded .jar files, the topmost package representing the .war file will have dependency relationships from the specific packages surfaced from the included .jar files.

Additionally, this PR includes a refactoring the internal Maven resolver functionality to an internal package to provide clearer boundaries of usage vs. internal methods.

Type of change

  • New feature (non-breaking change which adds functionality)

Checklist:

  • I have added unit tests that cover changed behavior
  • I have tested my code in common scenarios and confirmed there are no regressions
  • I have added comments to my code, particularly in hard-to-understand sections

@kzantow kzantow force-pushed the feat/java-dependency-graph branch from 416abdd to 0bb3031 Compare October 21, 2024 20:06
kzantow
kzantow commented Oct 22, 2024
View reviewed changes
syft/pkg/cataloger/java/parse_pom_xml.go
PomProperties: &pkg.JavaPomProperties{
GroupID: id.GroupID,
ArtifactID: id.ArtifactID,
Scope: r.ResolveProperty(ctx, pom, dep.Scope),
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PomProperties has the scope? This doesn't seem right, but this was the existing behavior.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agreed -- we should make a syft 2.0 for this and mark the field as deprecated. There is a discussion in #572 on how to mark dev/test deps on edges, but for now we've elected to not track these.

wagoodman
wagoodman approved these changes Oct 23, 2024
View reviewed changes
Copy link
Contributor

@wagoodman wagoodman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

@kzantow
chore: address PR feedback
3875b4e 
Signed-off-by: Keith Zantow <[email protected]>
@kzantow kzantow merged commit a00533c into anchore:main Oct 23, 2024
12 checks passed
@kzantow kzantow deleted the feat/java-dependency-graph branch October 23, 2024 15:17
@kzantow kzantow mentioned this pull request Oct 28, 2024
Closed
@BrewTestBot BrewTestBot mentioned this pull request Oct 28, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wagoodman wagoodman wagoodman approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Emit relationships for Java dependencies
2 participants
@kzantow @wagoodman