feat(java): add support for line numbers for pom.xml files (aquasecurity#5991)

DmitriyLewen · web-flow · commit b4b90cfe2021 · 2024-01-25T07:25:38.000Z
diff --git a/docs/docs/coverage/language/java.md b/docs/docs/coverage/language/java.md
@@ -11,11 +11,11 @@ Each artifact supports the following scanners:
 
 The following table provides an outline of the features Trivy offers.
 
-| Artifact         |    Internet access    | Dev dependencies | [Dependency graph][dependency-graph] |
-|------------------|:---------------------:|:----------------:|:------------------------------------:|
-| JAR/WAR/PAR/EAR  |     Trivy Java DB     |     Include      |                  -                   |
-| pom.xml          | Maven repository [^1] |     Exclude      |                  ✓                   |
-| *gradle.lockfile |           -           |     Exclude      |                  -                   |
+| Artifact         |    Internet access    | Dev dependencies | [Dependency graph][dependency-graph] | Position |
+|------------------|:---------------------:|:----------------:|:------------------------------------:|:--------:|
+| JAR/WAR/PAR/EAR  |     Trivy Java DB     |     Include      |                  -                   |    -     |
+| pom.xml          | Maven repository [^1] |     Exclude      |                  ✓                   |  ✓[^7]   |
+| *gradle.lockfile |           -           |     Exclude      |                  -                   |    -     |
 
 These may be enabled or disabled depending on the target.
 See [here](./index.md) for the detail.
@@ -46,7 +46,7 @@ If your machine doesn't have the necessary files - Trivy tries to find the infor
 
 !!! Note
     Trivy only takes information about packages. We don't take a list of vulnerabilities for packages from the `maven repository`.
-    Information about data sources for Java you can see [here](../../scanner/vulnerability.md#data-sources_1).
+    Information about data sources for Java you can see [here](../../scanner/vulnerability.md#data-sources-1).
 
 You can disable connecting to the maven repository with the `--offline-scan` flag.
 The `--offline-scan` flag does not affect the Trivy database.
@@ -67,5 +67,6 @@ It doesn't require the internet access.
 [^4]: e.g. when parent pom.xml file has `../pom.xml` path
 [^5]: When you use dependency path in `relativePath` field in pom.xml file
 [^6]: `/Users/<username>/.m2/repository` (for Linux and Mac) and `C:/Users/<username>/.m2/repository` (for Windows) by default
+[^7]: To avoid confusion, Trivy only finds locations for direct dependencies from the base pom.xml file.
 
 [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
diff --git a/go.mod b/go.mod
@@ -14,7 +14,7 @@ require (
 	github.com/alicebob/miniredis/v2 v2.31.0
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
 	github.com/aquasecurity/defsec v0.94.1
-	github.com/aquasecurity/go-dep-parser v0.0.0-20231229070651-5f0903175562
+	github.com/aquasecurity/go-dep-parser v0.0.0-20240124102329-7be7d210a3d4
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
 	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
diff --git a/go.sum b/go.sum
@@ -328,8 +328,8 @@ github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
 github.com/aquasecurity/defsec v0.94.1 h1:lk44bfUltm0f0Dw4DbO3Ka9d/bf3N8cWclSdHXMyKF4=
 github.com/aquasecurity/defsec v0.94.1/go.mod h1:wiX9BX0SOG0ZWjVIPYGPl46fyO3Gu8lJnk4rmhFR7IA=
-github.com/aquasecurity/go-dep-parser v0.0.0-20231229070651-5f0903175562 h1:jdymGFJpArgx1ZZW7yqgCV8Tt+sEZ4jKxjQufPYRSXE=
-github.com/aquasecurity/go-dep-parser v0.0.0-20231229070651-5f0903175562/go.mod h1:B+gSaiuXV258CtyfBwFvG87+GE/FOh6W4N+LMuQxvVA=
+github.com/aquasecurity/go-dep-parser v0.0.0-20240124102329-7be7d210a3d4 h1:Ex+YahhZPTu0WF9IKngLr/oRWgW5TN9ed0n4Twsq2Hw=
+github.com/aquasecurity/go-dep-parser v0.0.0-20240124102329-7be7d210a3d4/go.mod h1:P0PmelcN1ABKJrDzRbPnn6hK7RvgI+xmjiV/9uPaNnY=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce/go.mod h1:HXgVzOPvXhVGLJs4ZKO817idqr/xhwsTcj17CLYY74s=
 github.com/aquasecurity/go-mock-aws v0.0.0-20240109054747-49e4b5da33cb h1:dNxUB2bSbiLGNYcXkbBKrrfuY96+dXhA9FahEFZ4THQ=
diff --git a/pkg/fanal/analyzer/language/java/pom/pom_test.go b/pkg/fanal/analyzer/language/java/pom/pom_test.go
@@ -29,11 +29,25 @@ func Test_pomAnalyzer_Analyze(t *testing.T) {
 						Type:     types.Pom,
 						FilePath: "testdata/happy/pom.xml",
 						Libraries: types.Packages{
+							{
+								ID:      "com.example:example-api:2.0.0",
+								Name:    "com.example:example-api",
+								Version: "2.0.0",
+								Locations: []types.Location{
+									{
+										StartLine: 28,
+										EndLine:   32,
+									},
+								},
+							},
 							{
 								ID:       "com.example:example:1.0.0",
 								Name:     "com.example:example",
 								Version:  "1.0.0",
 								Licenses: []string{"Apache-2.0"},
+								DependsOn: []string{
+									"com.example:example-api:2.0.0",
+								},
 							},
 						},
 					},
@@ -50,11 +64,25 @@ func Test_pomAnalyzer_Analyze(t *testing.T) {
 						Type:     types.Pom,
 						FilePath: "pom.xml",
 						Libraries: types.Packages{
+							{
+								ID:      "com.example:example-api:2.0.0",
+								Name:    "com.example:example-api",
+								Version: "2.0.0",
+								Locations: []types.Location{
+									{
+										StartLine: 28,
+										EndLine:   32,
+									},
+								},
+							},
 							{
 								ID:       "com.example:example:1.0.0",
 								Name:     "com.example:example",
 								Version:  "1.0.0",
 								Licenses: []string{"Apache-2.0"},
+								DependsOn: []string{
+									"com.example:example-api:2.0.0",
+								},
 							},
 						},
 					},
@@ -104,6 +132,9 @@ func Test_pomAnalyzer_Analyze(t *testing.T) {
 				Dir:      tt.inputDir,
 				FilePath: tt.inputFile,
 				Content:  f,
+				Options: analyzer.AnalysisOptions{
+					Offline: true,
+				},
 			})
 			if tt.wantErr != "" {
 				require.NotNil(t, err)
diff --git a/pkg/fanal/analyzer/language/java/pom/testdata/happy/pom.xml b/pkg/fanal/analyzer/language/java/pom/testdata/happy/pom.xml
@@ -23,4 +23,12 @@
             <url>https://github.com/knqyf263</url>
         </developer>
     </developers>
+
+    <dependencies>
+        <dependency>
+            <groupId>com.example</groupId>
+            <artifactId>example-api</artifactId>
+            <version>2.0.0</version>
+        </dependency>
+    </dependencies>
 </project>
