fix: Prefer pom.properties G/A/V over pom.xml G/A/V to resolve GAV in…

…terpolation issues Improves the fix of #5418 as a quick-fix Fixes #5450
dependency-check · Feb 18, 2023 · e183bfb · e183bfb
1 parent c187bca
commit e183bfb
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 12 deletions.
diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
@@ -446,6 +446,7 @@ protected boolean analyzePOM(Dependency dependency, List<ClassNameInformation> c
                     final Properties pomProperties = retrievePomProperties(path, jar);
                     final File pomFile = extractPom(path, jar);
                     final Model pom = PomUtils.readPom(pomFile);
+                    pom.setGAVFromPomDotProperties(pomProperties);
                     pom.processProperties(pomProperties);
 
                     final String artifactId = new File(path).getParentFile().getName();

diff --git a/core/src/main/java/org/owasp/dependencycheck/xml/pom/Model.java b/core/src/main/java/org/owasp/dependencycheck/xml/pom/Model.java
@@ -335,18 +335,6 @@ public void processProperties(Properties properties) {
         if (properties == null) {
             return;
         }
-        this.groupId = interpolateString(this.groupId, properties);
-        if (groupId == null && properties.containsKey("groupId")) {
-            this.groupId = properties.getProperty("groupId");
-        }
-        this.artifactId = interpolateString(this.artifactId, properties);
-        if (artifactId == null && properties.containsKey("artifactId")) {
-            this.artifactId = properties.getProperty("artifactId");
-        }
-        this.version = interpolateString(this.version, properties);
-        if (version == null && properties.containsKey("version")) {
-            this.version = properties.getProperty("version");
-        }
         this.description = interpolateString(this.description, properties);
         for (License l : this.getLicenses()) {
             l.setName(interpolateString(l.getName(), properties));
@@ -398,6 +386,24 @@ public static String interpolateString(String text, Properties properties) {
         return substitutor.replace(text);
     }
 
+    /**
+     * Replaces the group/artifact/version obtained from the pom.xml which may contain variable references
+     * with the interpolated values of the
+     * <a href="https://maven.apache.org/shared/maven-archiver/#pom-properties-content>pom.properties</a>
+     * content (when present). Validates that at least the documented properties for the G/A/V coordinates
+     * are all present. If not it will leave the model unmodified as the property-source was apparently not
+     * a valid pom.properties file for the pom.xml.
+     * @param pomProperties A properties object that holds the properties from a pom.properties file.
+     */
+    public void setGAVFromPomDotProperties(Properties pomProperties) {
+        if (!pomProperties.containsKey("groupId") || !pomProperties.containsKey("artifactId")|| !pomProperties.containsKey("version")) {
+            return;
+        }
+        this.groupId = pomProperties.getProperty("groupId");
+        this.artifactId = pomProperties.getProperty("artifactId");
+        this.version = pomProperties.getProperty("version");
+    }
+
     /**
      * Utility class that can provide values from a Properties object to a
      * StringSubstitutor.