fix: pomxml parser not working when renamed files (#505)

* fix: pomxml parser not working when renamed files * fix: pom.xml parsing with differnet filename * removed test file' * remvoed unused code
2025-12-10 00:22:08 -06:00 · 2025-06-03 13:49:32 +05:30 · 2025-06-03 13:49:32 +05:30 · 4f43177976
commit 4f43177976
parent 0a2d642ea8
4 changed files with 53 additions and 57 deletions
--- a/pkg/parser/fixtures/java/remote/pom.xml
+++ b/pkg/parser/fixtures/java/remote/pom.xml
@ -0,0 +1,23 @@
+<project>
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>com.example</groupId>
+    <artifactId>child</artifactId>
+    <version>1.0.0</version>
+
+    <parent>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-starter-parent</artifactId>
+        <version>3.3.0</version>
+        <relativePath/> <!-- Uses remote parent from Maven Central -->
+    </parent>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter-api</artifactId>
+            <!-- No version: managed by spring-boot-starter-parent -->
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+</project>
--- a/pkg/parser/pomxml.go
+++ b/pkg/parser/pomxml.go
@ -3,11 +3,11 @@ package parser
 import (
 	"context"
 	"fmt"
-	scalibr "github.com/google/osv-scalibr"
-	el "github.com/google/osv-scalibr/extractor/filesystem/list"
-	"github.com/google/osv-scalibr/plugin"
-	"github.com/safedep/vet/pkg/common/logger"
+	"github.com/google/osv-scalibr/extractor/filesystem"
+	"github.com/google/osv-scalibr/extractor/filesystem/language/java/pomxmlnet"
+	"github.com/google/osv-scalibr/fs"
 	"github.com/safedep/vet/pkg/models"
+	"os"
 )

 // parseMavenPomXmlFile parses the pom.xml file in a maven project.
@ -15,50 +15,28 @@ import (
 // We use osc-scalibr's java/pomxmlnet (with Net, or Network) to fetch dependency from registry.
 func parseMavenPomXmlFile(lockfilePath string, _ *ParserConfig) (*models.PackageManifest, error) {
 	// Java/PomXMLNet extractor
-	ext, err := el.ExtractorsFromNames([]string{"java/pomxmlnet"})
+	pomXmlNetExtractor := pomxmlnet.NewDefault()
+
+	file, err := os.Open(lockfilePath)
 	if err != nil {
-		logger.Errorf("Failed to create java/pomxmlnet extractor form osv-scalibr: %s", err.Error())
-		return nil, fmt.Errorf("failed to create java/pomxmlnet extractor: %w", err)
+		return nil, fmt.Errorf("failed to open lockfile: %s", err)
+	}
+	defer file.Close()
+
+	inputConfig := &filesystem.ScanInput{
+		FS:     fs.DirFS("."),
+		Path:   lockfilePath,
+		Reader: file,
 	}

-	// Capability is required for filtering the extractors,
-	// For example, osv-scalibr has 33 default extractors for instance, go, JavaScript, java/gradel, java/pomxml etc.
-	// Then this capability is used to filter with some property, like network (as required by our java/pomxmlnet)
-	capability := &plugin.Capabilities{
-		OS:            plugin.OSAny,
-		Network:       plugin.NetworkOnline, // Network Online is Crucial for java/pomxml
-		DirectFS:      true,
-		RunningSystem: true,
-	}
-
-	// Apply capabilities
-	ext = el.FilterByCapabilities(ext, capability)
-
-	// Find the default scan root.
-	scanRoots, err := scalibrDefaultScanRoots()
+	inventory, err := pomXmlNetExtractor.Extract(context.Background(), inputConfig)
 	if err != nil {
-		logger.Errorf("Failed to create scan roots for osv-scalibr: %s", err.Error())
-		return nil, fmt.Errorf("failed to create scan roots for osv-scalibr: %w", err)
-	}
-
-	// ScanConfig
-	config := &scalibr.ScanConfig{
-		ScanRoots:            scanRoots,
-		FilesystemExtractors: ext,
-		Capabilities:         capability,
-		PathsToExtract:       []string{lockfilePath},
-	}
-
-	result := scalibr.New().Scan(context.Background(), config)
-
-	if result.Status.Status != plugin.ScanStatusSucceeded {
-		logger.Warnf("osv-scalibr scan did not performed scan with success")
-		return nil, fmt.Errorf("osv-scalibr scan did not performed scan with success: Status %s", result.Status.String())
+		return nil, fmt.Errorf("failed to extract packages: %s", err)
 	}

 	manifest := models.NewPackageManifestFromLocal(lockfilePath, models.EcosystemMaven)

-	for _, pkg := range result.Inventory.Packages {
+	for _, pkg := range inventory.Packages {
 		pkgDetails := models.NewPackageDetail(models.EcosystemMaven, pkg.Name, pkg.Version)
 		modelPackage := &models.Package{
 			PackageDetails: pkgDetails,
--- a/pkg/parser/pomxml_test.go
+++ b/pkg/parser/pomxml_test.go
@ -37,3 +37,15 @@ func Test_MavenPomXmlParser_ChildParentRelation(t *testing.T) {
 		assert.Contains(t, deps, pkg.Name)
 	}
 }
+
+func Test_MavenPomXmlParser_RemoteParent(t *testing.T) {
+	manifest, err := parseMavenPomXmlFile("./fixtures/java/remote/pom.xml", &ParserConfig{})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	assert.Equal(t, len(manifest.Packages), 4)
+	for _, pkg := range manifest.Packages {
+		assert.Contains(t, deps, pkg.Name)
+	}
+}
--- a/pkg/parser/scalibr.go
+++ b/pkg/parser/scalibr.go
@ -1,8 +1,6 @@
 package parser

 import (
-	"github.com/google/osv-scalibr/binary/platform"
-	scalibrfs "github.com/google/osv-scalibr/fs"
 	scalibrlog "github.com/google/osv-scalibr/log"
 )

@ -11,21 +9,6 @@ func init() {
 	scalibrlog.SetLogger(silentLogger{})
 }

-// ScalibrDefaultScanRoots function returns the default scan root required for osv-scalibr
-// Default is `/`
-func scalibrDefaultScanRoots() ([]*scalibrfs.ScanRoot, error) {
-	var scanRoots []*scalibrfs.ScanRoot
-	var scanRootPaths []string
-	var err error
-	if scanRootPaths, err = platform.DefaultScanRoots(false); err != nil {
-		return nil, err
-	}
-	for _, r := range scanRootPaths {
-		scanRoots = append(scanRoots, &scalibrfs.ScanRoot{FS: scalibrfs.DirFS(r), Path: r})
-	}
-	return scanRoots, nil
-}
-
 // silentLogger is custom logger for osv-scalibr
 // Primarily used to ignore / mute the osv-scalibr's native logging
 type silentLogger struct{}