Fail to update Maven packages with properties in their names #1238

michaelkedar · 2024-09-11T06:12:46Z

If a Maven dependency uses a property in its artifactId or groupId, the writer does not find the original definition of the package and will end up creating a new section for the patch.

e.g. Starting with this:

<properties>
  <artifact>foo</artifact>
</properties>
<dependencies>
  <dependency>
    <groupId>com.xyz</groupId>
    <artifactId>${artifact}</artifactId>
    <version>1.0.0</version>
  </dependency>
</dependencies>

A patch to com.xyz:foo will end up looking like:

<properties>
  <artifact>foo</artifact>
</properties>
<dependencies>
  <dependency>
    <groupId>com.xyz</groupId>
    <artifactId>${artifact}</artifactId>
    <version>1.0.0</version>
  </dependency>
</dependencies>
<dependencyManagement>
  <dependencies>
    <dependency>
      <groupId>com.xyz</groupId>
      <artifactId>foo</artifactId>
      <version>2.0.0</version>
    </dependency>
  </dependencies>
</dependencyManagement>

Which, in this case, does not actually override the version of the package (despite the override claiming it would).

The text was updated successfully, but these errors were encountered:

michaelkedar added bug Something isn't working guided remediation Related to guided remediation / osv-scanner fix labels Sep 11, 2024

cuixq changed the title ~~pom.xml updates aren't correct for packages that use a properties in their names~~ Fail to update Maven packages with properties in their names Sep 11, 2024

google deleted a comment from Apetree100122 Oct 2, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fail to update Maven packages with properties in their names #1238

Fail to update Maven packages with properties in their names #1238

michaelkedar commented Sep 11, 2024

Fail to update Maven packages with properties in their names #1238

Fail to update Maven packages with properties in their names #1238

Comments

michaelkedar commented Sep 11, 2024