Skip to content

Commit a7a304d

Browse files
DmitriyLewenknqyf263
DmitriyLewen
and
knqyf263
authored
fix(java): use go-mvn-version to remove Package duplicates (#7088)
Co-authored-by: Teppei Fukuda <[email protected]>
1 parent cb89fbb commit a7a304d

File tree

3 files changed

+62
-13
lines changed

3 files changed

+62
-13
lines changed

pkg/dependency/parser/java/jar/parse.go

+22-5
Original file line numberDiff line numberDiff line change
@@ -6,15 +6,15 @@ import (
66
"crypto/sha1" // nolint:gosec
77
"encoding/hex"
88
"errors"
9-
"fmt"
109
"io"
1110
"os"
1211
"path"
1312
"path/filepath"
1413
"regexp"
14+
"slices"
1515
"strings"
1616

17-
"github.com/samber/lo"
17+
mavenversion "github.com/masahiro331/go-mvn-version"
1818
"golang.org/x/xerrors"
1919

2020
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
@@ -439,7 +439,24 @@ func (m manifest) determineVersion() (string, error) {
439439
}
440440

441441
func removePackageDuplicates(pkgs []ftypes.Package) []ftypes.Package {
442-
return lo.UniqBy(pkgs, func(pkg ftypes.Package) string {
443-
return fmt.Sprintf("%s::%s::%s", pkg.Name, pkg.Version, pkg.FilePath)
444-
})
442+
// name::filePath => versions
443+
var uniq = make(map[string][]mavenversion.Version)
444+
var uniqPkgs []ftypes.Package
445+
for _, pkg := range pkgs {
446+
uniqID := pkg.Name + "::" + pkg.FilePath
447+
// err is always nil
448+
// cf. https://github.com/masahiro331/go-mvn-version/blob/d3157d602a08806ad94464c443e0cef1370694a1/version.go#L20-L25
449+
pkgVer, _ := mavenversion.NewVersion(pkg.Version)
450+
savedVers, ok := uniq[uniqID]
451+
if !ok || !slices.ContainsFunc(savedVers, func(v mavenversion.Version) bool {
452+
// There are times when patch `0` is omitted.
453+
// So we can't compare versions just as strings
454+
// for example `2.17.0` and `2.17` must be equal
455+
return v.Equal(pkgVer)
456+
}) {
457+
uniq[uniqID] = append(uniq[uniqID], pkgVer)
458+
uniqPkgs = append(uniqPkgs, pkg)
459+
}
460+
}
461+
return uniqPkgs
445462
}

pkg/dependency/parser/java/jar/parse_test.go

+40-8
Original file line numberDiff line numberDiff line change
@@ -168,22 +168,54 @@ var (
168168
},
169169
}
170170

171-
// manually created
171+
// Manually created.
172+
// Files of `io.quarkus.gizmo.gizmo-1.1.jar` (gizmo:1.1.0 (from sha1)):
173+
//├── bar
174+
//│ ├── bar
175+
//│ │ └── pom.properties (jackson-databind:2.13.4)
176+
//│ └── foo
177+
//│ └── pom.properties (jackson-databind:2.12.3)
178+
//├── foo
179+
//│ ├── bar
180+
//│ │ └── pom.properties (jackson-databind:2.12.3)
181+
//│ └── foo
182+
//│ └── pom.properties (jackson-databind:2.13.4)
183+
//├── jars
184+
//│ ├── log4j-1.2.16.jar (log4j:1.2.16)
185+
//│ └── log4j-1.2.17.jar (log4j:1.2.17)
186+
//└── META-INF
187+
// ├── INDEX.LIST
188+
// ├── MANIFEST.MF
189+
// └── maven
190+
// └── io.quarkus.gizmo
191+
// └── gizmo
192+
// ├── pom.properties (gizmo:1.1)
193+
// └── pom.xml
172194
wantDuplicatesJar = []ftypes.Package{
173195
{
174196
Name: "io.quarkus.gizmo:gizmo",
175-
Version: "1.1.1.Final",
176-
FilePath: "testdata/io.quarkus.gizmo.gizmo-1.1.1.Final.jar",
197+
Version: "1.1",
198+
FilePath: "testdata/io.quarkus.gizmo.gizmo-1.1.jar",
177199
},
178200
{
179201
Name: "log4j:log4j",
180202
Version: "1.2.16",
181-
FilePath: "testdata/io.quarkus.gizmo.gizmo-1.1.1.Final.jar/jars/log4j-1.2.16.jar",
203+
FilePath: "testdata/io.quarkus.gizmo.gizmo-1.1.jar/jars/log4j-1.2.16.jar",
182204
},
183205
{
184206
Name: "log4j:log4j",
185207
Version: "1.2.17",
186-
FilePath: "testdata/io.quarkus.gizmo.gizmo-1.1.1.Final.jar/jars/log4j-1.2.17.jar",
208+
FilePath: "testdata/io.quarkus.gizmo.gizmo-1.1.jar/jars/log4j-1.2.17.jar",
209+
},
210+
{
211+
Name: "com.fasterxml.jackson.core:jackson-databind",
212+
Version: "2.12.3",
213+
FilePath: "testdata/io.quarkus.gizmo.gizmo-1.1.jar",
214+
},
215+
{
216+
Name: "com.fasterxml.jackson.core:jackson-databind",
217+
Version: "2.13.4",
218+
FilePath: "testdata/io.quarkus.gizmo.gizmo-1.1.jar",
187219
},
188220
}
189221
)
@@ -251,7 +283,7 @@ func TestParse(t *testing.T) {
251283
},
252284
{
253285
name: "duplicate libraries",
254-
file: "testdata/io.quarkus.gizmo.gizmo-1.1.1.Final.jar",
286+
file: "testdata/io.quarkus.gizmo.gizmo-1.1.jar",
255287
want: wantDuplicatesJar,
256288
},
257289
}
@@ -277,13 +309,13 @@ func TestParse(t *testing.T) {
277309
}
278310
case strings.Contains(r.URL.Query().Get("q"), "Gizmo"):
279311
res.Response.NumFound = 0
280-
case strings.Contains(r.URL.Query().Get("q"), "85d30c06026afd9f5be26da3194d4698c447a904"):
312+
case strings.Contains(r.URL.Query().Get("q"), "1c78bbc4d8c58b9af8eee82b84f2c26ec48e9a2b"):
281313
res.Response.Docs = []doc{
282314
{
283315
ID: "io.quarkus.gizmo.gizmo",
284316
GroupID: "io.quarkus.gizmo",
285317
ArtifactID: "gizmo",
286-
Version: "1.1.1.Final",
318+
Version: "1.1.0",
287319
},
288320
}
289321
case strings.Contains(r.URL.Query().Get("q"), "heuristic"):

pkg/dependency/parser/java/jar/testdata/io.quarkus.gizmo.gizmo-1.1.1.Final.jar renamed to pkg/dependency/parser/java/jar/testdata/io.quarkus.gizmo.gizmo-1.1.jar

862 KB
Binary file not shown.

0 commit comments

Comments
 (0)