From 243c5311a6e812350b5c94f9ece7e0751c25df89 Mon Sep 17 00:00:00 2001 From: Xueqin Cui Date: Mon, 23 Dec 2024 11:25:45 +1100 Subject: [PATCH 1/3] fix(maven): do not add registries when fetching requirements --- internal/resolution/client/maven_registry_client.go | 8 ++++++-- .../scalibrextract/language/java/pomxmlnet/extractor.go | 3 ++- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/internal/resolution/client/maven_registry_client.go b/internal/resolution/client/maven_registry_client.go index 8f19b47c2c..0cd762d357 100644 --- a/internal/resolution/client/maven_registry_client.go +++ b/internal/resolution/client/maven_registry_client.go @@ -98,6 +98,7 @@ func (c *MavenRegistryClient) Requirements(ctx context.Context, vk resolve.Versi if !found { return nil, fmt.Errorf("invalid Maven package name %s", vk.Name) } + proj, err := c.api.GetProject(ctx, g, a, vk.Version) if err != nil { return nil, err @@ -107,12 +108,15 @@ func (c *MavenRegistryClient) Requirements(ctx context.Context, vk resolve.Versi if err := proj.MergeProfiles("", maven.ActivationOS{}); err != nil { return nil, err } + + // We should not add registries defined in dependencies pom.xml files. + apiWithoutRegistries := c.api.WithoutRegistries() // We need to merge parents for potential dependencies in parents. - if err := mavenutil.MergeParents(ctx, c.api, &proj, proj.Parent, 1, "", false); err != nil { + if err := mavenutil.MergeParents(ctx, apiWithoutRegistries, &proj, proj.Parent, 1, "", false); err != nil { return nil, err } proj.ProcessDependencies(func(groupID, artifactID, version maven.String) (maven.DependencyManagement, error) { - return mavenutil.GetDependencyManagement(ctx, c.api, groupID, artifactID, version) + return mavenutil.GetDependencyManagement(ctx, apiWithoutRegistries, groupID, artifactID, version) }) reqs := make([]resolve.RequirementVersion, 0, len(proj.Dependencies)) diff --git a/internal/scalibrextract/language/java/pomxmlnet/extractor.go b/internal/scalibrextract/language/java/pomxmlnet/extractor.go index 7c61dc8c56..57ed517c82 100644 --- a/internal/scalibrextract/language/java/pomxmlnet/extractor.go +++ b/internal/scalibrextract/language/java/pomxmlnet/extractor.go @@ -132,7 +132,8 @@ func (e Extractor) Extract(ctx context.Context, input *filesystem.ScanInput) ([] } overrideClient.AddVersion(root, reqs) - client.PreFetch(ctx, overrideClient, reqs, input.Path) + // TODO: only run `PreFetch` for deps.dev client + // client.PreFetch(ctx, overrideClient, reqs, input.Path) g, err := resolver.Resolve(ctx, root.VersionKey) if err != nil { return nil, fmt.Errorf("failed resolving %v: %w", root, err) From 0ba3db2f5584dc5339366789753a2343186982f5 Mon Sep 17 00:00:00 2001 From: Xueqin Cui Date: Mon, 23 Dec 2024 14:00:01 +1100 Subject: [PATCH 2/3] misc --- internal/resolution/client/maven_registry_client.go | 1 - 1 file changed, 1 deletion(-) diff --git a/internal/resolution/client/maven_registry_client.go b/internal/resolution/client/maven_registry_client.go index 0cd762d357..a76ee121f3 100644 --- a/internal/resolution/client/maven_registry_client.go +++ b/internal/resolution/client/maven_registry_client.go @@ -98,7 +98,6 @@ func (c *MavenRegistryClient) Requirements(ctx context.Context, vk resolve.Versi if !found { return nil, fmt.Errorf("invalid Maven package name %s", vk.Name) } - proj, err := c.api.GetProject(ctx, g, a, vk.Version) if err != nil { return nil, err From c422c680a7bbb073523956c926de9310a17b3ff6 Mon Sep 17 00:00:00 2001 From: Xueqin Cui Date: Mon, 23 Dec 2024 14:12:35 +1100 Subject: [PATCH 3/3] lint --- internal/scalibrextract/language/java/pomxmlnet/extractor.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/scalibrextract/language/java/pomxmlnet/extractor.go b/internal/scalibrextract/language/java/pomxmlnet/extractor.go index 9c1505f415..64140cfc77 100644 --- a/internal/scalibrextract/language/java/pomxmlnet/extractor.go +++ b/internal/scalibrextract/language/java/pomxmlnet/extractor.go @@ -131,7 +131,7 @@ func (e Extractor) Extract(ctx context.Context, input *filesystem.ScanInput) ([] } } overrideClient.AddVersion(root, reqs) - + // TODO: only run `PreFetch` for deps.dev client // client.PreFetch(ctx, overrideClient, reqs, filepath.Join(input.Root, input.Path)) g, err := resolver.Resolve(ctx, root.VersionKey)