Skip to content

Commit

Permalink
fix(java): use go-mvn-version to remove Package duplicates (#7088)
Browse files Browse the repository at this point in the history
Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
  • Loading branch information
DmitriyLewen and knqyf263 authored Jul 4, 2024
1 parent cb89fbb commit a7a304d
Show file tree
Hide file tree
Showing 3 changed files with 62 additions and 13 deletions.
27 changes: 22 additions & 5 deletions pkg/dependency/parser/java/jar/parse.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,15 +6,15 @@ import (
"crypto/sha1" // nolint:gosec
"encoding/hex"
"errors"
"fmt"
"io"
"os"
"path"
"path/filepath"
"regexp"
"slices"
"strings"

"github.com/samber/lo"
mavenversion "github.com/masahiro331/go-mvn-version"
"golang.org/x/xerrors"

ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
Expand Down Expand Up @@ -439,7 +439,24 @@ func (m manifest) determineVersion() (string, error) {
}

func removePackageDuplicates(pkgs []ftypes.Package) []ftypes.Package {
return lo.UniqBy(pkgs, func(pkg ftypes.Package) string {
return fmt.Sprintf("%s::%s::%s", pkg.Name, pkg.Version, pkg.FilePath)
})
// name::filePath => versions
var uniq = make(map[string][]mavenversion.Version)
var uniqPkgs []ftypes.Package
for _, pkg := range pkgs {
uniqID := pkg.Name + "::" + pkg.FilePath
// err is always nil
// cf. /~https://github.com/masahiro331/go-mvn-version/blob/d3157d602a08806ad94464c443e0cef1370694a1/version.go#L20-L25
pkgVer, _ := mavenversion.NewVersion(pkg.Version)
savedVers, ok := uniq[uniqID]
if !ok || !slices.ContainsFunc(savedVers, func(v mavenversion.Version) bool {
// There are times when patch `0` is omitted.
// So we can't compare versions just as strings
// for example `2.17.0` and `2.17` must be equal
return v.Equal(pkgVer)
}) {
uniq[uniqID] = append(uniq[uniqID], pkgVer)
uniqPkgs = append(uniqPkgs, pkg)
}
}
return uniqPkgs
}
48 changes: 40 additions & 8 deletions pkg/dependency/parser/java/jar/parse_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -168,22 +168,54 @@ var (
},
}

// manually created
// Manually created.
// Files of `io.quarkus.gizmo.gizmo-1.1.jar` (gizmo:1.1.0 (from sha1)):
//├── bar
//│ ├── bar
//│ │ └── pom.properties (jackson-databind:2.13.4)
//│ └── foo
//│ └── pom.properties (jackson-databind:2.12.3)
//├── foo
//│ ├── bar
//│ │ └── pom.properties (jackson-databind:2.12.3)
//│ └── foo
//│ └── pom.properties (jackson-databind:2.13.4)
//├── jars
//│ ├── log4j-1.2.16.jar (log4j:1.2.16)
//│ └── log4j-1.2.17.jar (log4j:1.2.17)
//└── META-INF
// ├── INDEX.LIST
// ├── MANIFEST.MF
// └── maven
// └── io.quarkus.gizmo
// └── gizmo
// ├── pom.properties (gizmo:1.1)
// └── pom.xml
wantDuplicatesJar = []ftypes.Package{
{
Name: "io.quarkus.gizmo:gizmo",
Version: "1.1.1.Final",
FilePath: "testdata/io.quarkus.gizmo.gizmo-1.1.1.Final.jar",
Version: "1.1",
FilePath: "testdata/io.quarkus.gizmo.gizmo-1.1.jar",
},
{
Name: "log4j:log4j",
Version: "1.2.16",
FilePath: "testdata/io.quarkus.gizmo.gizmo-1.1.1.Final.jar/jars/log4j-1.2.16.jar",
FilePath: "testdata/io.quarkus.gizmo.gizmo-1.1.jar/jars/log4j-1.2.16.jar",
},
{
Name: "log4j:log4j",
Version: "1.2.17",
FilePath: "testdata/io.quarkus.gizmo.gizmo-1.1.1.Final.jar/jars/log4j-1.2.17.jar",
FilePath: "testdata/io.quarkus.gizmo.gizmo-1.1.jar/jars/log4j-1.2.17.jar",
},
{
Name: "com.fasterxml.jackson.core:jackson-databind",
Version: "2.12.3",
FilePath: "testdata/io.quarkus.gizmo.gizmo-1.1.jar",
},
{
Name: "com.fasterxml.jackson.core:jackson-databind",
Version: "2.13.4",
FilePath: "testdata/io.quarkus.gizmo.gizmo-1.1.jar",
},
}
)
Expand Down Expand Up @@ -251,7 +283,7 @@ func TestParse(t *testing.T) {
},
{
name: "duplicate libraries",
file: "testdata/io.quarkus.gizmo.gizmo-1.1.1.Final.jar",
file: "testdata/io.quarkus.gizmo.gizmo-1.1.jar",
want: wantDuplicatesJar,
},
}
Expand All @@ -277,13 +309,13 @@ func TestParse(t *testing.T) {
}
case strings.Contains(r.URL.Query().Get("q"), "Gizmo"):
res.Response.NumFound = 0
case strings.Contains(r.URL.Query().Get("q"), "85d30c06026afd9f5be26da3194d4698c447a904"):
case strings.Contains(r.URL.Query().Get("q"), "1c78bbc4d8c58b9af8eee82b84f2c26ec48e9a2b"):
res.Response.Docs = []doc{
{
ID: "io.quarkus.gizmo.gizmo",
GroupID: "io.quarkus.gizmo",
ArtifactID: "gizmo",
Version: "1.1.1.Final",
Version: "1.1.0",
},
}
case strings.Contains(r.URL.Query().Get("q"), "heuristic"):
Expand Down
Binary file not shown.

0 comments on commit a7a304d

Please sign in to comment.