Merge pull request #321 from luotianqi777/fix-mvn

fix: mvn direct dependecy scope

Author: cyberchen1995

opensca/sca/java/mvn.go

@@ -284,6 +284,22 @@ func inheritPom(pom *Pom, getpom getPomFunc) {
 	}
 }
 
+func replacePomDependency(old, new *PomDependency, indirect bool) (replaced *PomDependency) {
+	originVersion := old.Version
+	originScope := old.Scope
+	dep := *new
+	replaced = &dep
+	// 间接依赖优先使用新的version
+	if indirect && replaced.Version == "" {
+		replaced.Version = originVersion
+	}
+	// 直接依赖优先保留原始scope
+	if !indirect && originScope != "" {
+		replaced.Scope = originScope
+	}
+	return
+}
+
 // parsePom 解析单个pom 返回该pom的依赖图
 func parsePom(ctx context.Context, pom *Pom, getpom getPomFunc) *model.DepGraph {
 
@@ -364,7 +380,7 @@ func parsePom(ctx context.Context, pom *Pom, getpom getPomFunc) *model.DepGraph
 			if d, ok := depManagement[dep.Index2()]; ok {
 				exclusion := append(dep.Exclusions, d.Exclusions...)
 				if dep.Version == "" {
-					dep = d
+					dep = replacePomDependency(dep, d, false)
 				}
 				dep.Exclusions = exclusion
 				np.Update(dep)
@@ -375,11 +391,7 @@ func parsePom(ctx context.Context, pom *Pom, getpom getPomFunc) *model.DepGraph
 				d, ok := rootPomManagement[dep.Index2()]
 				if ok {
 					exclusion := append(dep.Exclusions, d.Exclusions...)
-					originVersion := dep.Version
-					dep = d
-					if dep.Version == "" {
-						dep.Version = originVersion
-					}
+					dep = replacePomDependency(dep, d, true)
 					dep.Exclusions = exclusion
 					pom.Update(dep)
 				}

test/java/18/pom.xml

@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>foo</groupId>
+    <artifactId>demo</artifactId>
+    <packaging>pom</packaging>
+    <version>1.0</version>
+
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>org.apache.logging.log4j</groupId>
+                <artifactId>log4j-core</artifactId>
+                <scope>compile</scope>
+                <version>1.0</version>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.logging.log4j</groupId>
+                <artifactId>log4j-core2</artifactId>
+                <scope>test</scope>
+                <version>2.0</version>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.logging.log4j</groupId>
+                <artifactId>log4j-core3</artifactId>
+                <scope>test</scope>
+                <version>3.0</version>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-core</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-core2</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-core3</artifactId>
+            <scope>compile</scope>
+        </dependency>
+    </dependencies>
+
+</project>

test/java/java_test.go

@@ -194,6 +194,15 @@ var cases = []tool.TaskCase{
 			tool.Dep3("org.apache.logging.log4j", "log4j-core", "2.17.2"),
 		),
 	)},
+
+	// 直接依赖优先级高于dependencyManagement
+	{Path: "18", Result: tool.Dep("", "",
+		tool.Dep3("foo", "demo", "1.0",
+			tool.DevDep3("org.apache.logging.log4j", "log4j-core", "1.0"),
+			tool.DevDep3("org.apache.logging.log4j", "log4j-core2", "2.0"),
+			tool.Dep3("org.apache.logging.log4j", "log4j-core3", "3.0"),
+		),
+	)},
 }
 
 func Test_JavaWithStatic(t *testing.T) {