-
Notifications
You must be signed in to change notification settings - Fork 365
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Failures when scanning pom.xml files with a <parent> tag #1321
Comments
Thanks for the report! @cuixq can you please take a look at this? |
@LironJit we launched transitive scanning for Maven pom.xml in version 1.8.1 which makes network requests to fetch parent POMs. When I investigated this issue I noticed the following error:
and I am going to make a fix for this. However this issue still stops the scanner working for pom.xml without Could you give us more information on the error you see when running the scanner? Thanks. |
#1321 If non UTF-8 encoding is declared in pom.xml, we need to set `CharsetReader` to avoid the error.
I have the same problem and would like to help, however I'm not sure how. For starters I added the parent error to r.Errorf("Attempted to scan lockfile but failed: %s: %s\n", err, path) Now I get: $ go run . --verbosity verbose -skip-git -r myservice
Scanning dir myservice
Attempted to scan lockfile but failed: failed extracting myservice/api-mock/pom.xml: failed to merge parents: failed to get Maven project com.company.commons:maven.artifactory:2.0: failed to fetch Maven project com.company.commons:maven.artifactory@2.0: myservice/api-mock/pom.xml
Attempted to scan lockfile but failed: failed extracting myservice/myservice/pom.xml: failed to merge parents: failed to get Maven project com.company.commons:maven.artifactory:2.0: failed to fetch Maven project com.company.commons:maven.artifactory@2.0: myservice/myservice/pom.xml
Attempted to scan lockfile but failed: failed extracting myservice/myservice-st/pom.xml: failed to merge parents: failed to get Maven project com.company.commons:maven.artifactory:2.0: failed to fetch Maven project com.company.commons:maven.artifactory@2.0: myservice/myservice-st/pom.xml
Attempted to scan lockfile but failed: failed extracting myservice/pom.xml: failed to merge parents: failed to get Maven project com.company.commons:maven.artifactory:2.0: failed to fetch Maven project com.company.commons:maven.artifactory@2.0: myservice/pom.xml
No package sources found, --help for usage information.
exit status 128 (Just cloned osv-scanner from master at e054385) Which seems to be related to osv-scanner not resolving artifacts from private artifact registries. However if I try the $ go run . --verbosity verbose -skip-git -r ./javamail
Scanning dir ./javamail
Scanned /home/user/scratch/osv-scanner/cmd/osv-scanner/javamail/android/activation/pom.xml file and found 0 packages
Scanned /home/user/scratch/osv-scanner/cmd/osv-scanner/javamail/android/mail/pom.xml file and found 1 package
Scanned /home/user/scratch/osv-scanner/cmd/osv-scanner/javamail/android/pom.xml file and found 0 packages
Scanned /home/user/scratch/osv-scanner/cmd/osv-scanner/javamail/client/pom.xml file and found 2 packages
Scanned /home/user/scratch/osv-scanner/cmd/osv-scanner/javamail/demo/pom.xml file and found 2 packages
Scanned /home/user/scratch/osv-scanner/cmd/osv-scanner/javamail/dsn/pom.xml file and found 2 packages
Scanned /home/user/scratch/osv-scanner/cmd/osv-scanner/javamail/gimap/pom.xml file and found 2 packages
Scanned /home/user/scratch/osv-scanner/cmd/osv-scanner/javamail/imap/pom.xml file and found 1 package
Scanned /home/user/scratch/osv-scanner/cmd/osv-scanner/javamail/javadoc/pom.xml file and found 4 packages
Scanned /home/user/scratch/osv-scanner/cmd/osv-scanner/javamail/logging/pom.xml file and found 2 packages
Scanned /home/user/scratch/osv-scanner/cmd/osv-scanner/javamail/mail/pom.xml file and found 1 package
Scanned /home/user/scratch/osv-scanner/cmd/osv-scanner/javamail/mailapi/pom.xml file and found 0 packages
Scanned /home/user/scratch/osv-scanner/cmd/osv-scanner/javamail/mailapijar/pom.xml file and found 0 packages
Scanned /home/user/scratch/osv-scanner/cmd/osv-scanner/javamail/mailhandler/pom.xml file and found 1 package
Attempted to scan lockfile but failed: failed extracting /home/user/scratch/osv-scanner/cmd/osv-scanner/javamail/mbox/native/pom.xml: failed resolving {Maven:com.sun.mail:libmbox[Concrete:1.6.2] {}}: version Maven:com.sun.mail:mbox[Concrete:1.6.2]: not found: /home/user/scratch/osv-scanner/cmd/osv-scanner/javamail/mbox/native/pom.xml
Scanned /home/user/scratch/osv-scanner/cmd/osv-scanner/javamail/mbox/pom.xml file and found 2 packages
Scanned /home/user/scratch/osv-scanner/cmd/osv-scanner/javamail/outlook/pom.xml file and found 2 packages
Scanned /home/user/scratch/osv-scanner/cmd/osv-scanner/javamail/parent-distrib/pom.xml file and found 1 package
Scanned /home/user/scratch/osv-scanner/cmd/osv-scanner/javamail/pom.xml file and found 0 packages
Scanned /home/user/scratch/osv-scanner/cmd/osv-scanner/javamail/pop3/pom.xml file and found 1 package
Scanned /home/user/scratch/osv-scanner/cmd/osv-scanner/javamail/publish/pom.xml file and found 2 packages
Scanned /home/user/scratch/osv-scanner/cmd/osv-scanner/javamail/servlet/pom.xml file and found 3 packages
Scanned /home/user/scratch/osv-scanner/cmd/osv-scanner/javamail/smtp/pom.xml file and found 1 package
Scanned /home/user/scratch/osv-scanner/cmd/osv-scanner/javamail/taglib/pom.xml file and found 4 packages
Attempted to scan lockfile but failed: failed extracting /home/user/scratch/osv-scanner/cmd/osv-scanner/javamail/webapp/pom.xml: failed resolving {Maven:com.sun.mail:webapp[Concrete:1.6.2] {}}:
version Maven:com.sun.mail:taglib[Concrete:1.6.2]: not found: /home/user/scratch/osv-scanner/cmd/osv-scanner/javamail/webapp/pom.xml
exit status 127 |
@desolatorxxl thanks for the feedback! May I ask where do you place your parent pom.xml? On local file system or remote private registry? |
@cuixq all pom.xml files are on a local file system. For clarity the directory structure looks like this:
But the I specified the registry URL in my <?xml version="1.0" encoding="UTF-8"?>
<settings xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.1.0 http://maven.apache.org/xsd/settings-1.1.0.xsd" xmlns="http://maven.apache.org/SETTINGS/1.1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<servers>
<server>
<username>...</username>
<password>...</password>
<id>central</id>
</server>
<server>
<username>...</username>
<password>...</password>
<id>snapshots</id>
</server>
</servers>
<profiles>
<profile>
<repositories>
<repository>
<snapshots>
<enabled>false</enabled>
</snapshots>
<id>central</id>
<name>libs-release</name>
<url>https://artifactory.org.com:443/artifactory/libs-release</url>
</repository>
<repository>
<snapshots />
<id>snapshots</id>
<name>libs-snapshot</name>
<url>https://artifactory.org.com:443/artifactory/libs-snapshot</url>
</repository>
</repositories>
<pluginRepositories>
<pluginRepository>
<snapshots>
<enabled>false</enabled>
</snapshots>
<id>central</id>
<name>libs-release</name>
<url>https://artifactory.org.com:443/artifactory/libs-release</url>
</pluginRepository>
<pluginRepository>
<snapshots />
<id>snapshots</id>
<name>libs-snapshot</name>
<url>https://artifactory.org.com:443/artifactory/libs-snapshot</url>
</pluginRepository>
</pluginRepositories>
<id>artifactory</id>
</profile>
</profiles>
<activeProfiles>
<activeProfile>artifactory</activeProfile>
</activeProfiles>
</settings> I digged around a bit in all the pom.xml files and found out that the top level pom ( <parent>
<groupId>com.org.common</groupId>
<artifactId>maven.artifactory</artifactId>
<version>1.0</version>
</parent> The remote <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.org.common</groupId>
<artifactId>maven.artifactory</artifactId>
<version>1.0</version>
<packaging>pom</packaging>
<description>ORG POM for Artifactory</description>
<organization>
<name>Private ORG</name>
<url>https://org.com</url>
</organization>
<distributionManagement>
<repository>
<id>central</id>
<name>libs-release</name>
<url>https://artifactory.org.com:443/artifactory/libs-release-local</url>
</repository>
<snapshotRepository>
<id>snapshots</id>
<name>libs-snapshot</name>
<url>https://artifactory.org.com:443/artifactory/libs-snapshot-local</url>
</snapshotRepository>
</distributionManagement>
</project> If I remove that parent, the scan runs successfully. It seems that is a really odd way of centrally managing repository configuration? Anyways, today that artifact is not required for the application to run or build, so I will try to get it removed. |
@desolatorxxl we currently do not support reading repositories from |
Hey osv team, I've been running into some issues with scanning
pom.xml
files which have a<parent>
tag:osv-scanner v1.7.3 and latest (v1.9.0) are unable to scan this repository: https://github.com/javaee/javamail but after deleting the
<parent>
tags frompom.xml
files (for examplejavamail/taglib/pom.xml
) the files are scanned successfully.Also notice when I'm using v1.7.3 I'm able to scan the following (which has a
<parent>
tag):However, running v1.9.0 will not work unless I remove the
<parent>
tag:✗ docker run --rm -v $(pwd):/code ghcr.io/google/osv-scanner:v1.9.0 scan -r /code/ Scanning dir /code/ Attempted to scan lockfile but failed: /code/pom.xml
Thanks in advance!
The text was updated successfully, but these errors were encountered: