Pom parser not resolving all dependency versions

[willyw0nka]

What happened:
When running syft on a Java project, some variables are returted as package versions without being evaluated.

 ✔ Indexed file system                                                                                                                                                                                          .
 ✔ Cataloged contents                                                                                                                            cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
   ├── ✔ Packages                        [17 packages]  
   └── ✔ Executables                     [0 executables]  
[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
NAME                                 VERSION                    TYPE           
caffeine                             ${caffeine.version}        java-archive    
easy-random-core-jdk11               6.1.2                      java-archive    
easy-random-randomizers-jdk11        6.1.2                      java-archive    
kotlin-test-junit5                   1.9.20                     java-archive    
mng-authentication-interceptor       1.0.2                      java-archive    
mng-spring-boot-starter-error-log    0.0.1                      java-archive    
mockk-jvm                            1.13.8                     java-archive    
spring-boot-starter-actuator         ${project.parent.version}  java-archive    
spring-boot-starter-cache            3.2.4                      java-archive    
spring-boot-starter-data-mongodb     ${project.parent.version}  java-archive    
spring-boot-starter-security         ${project.parent.version}  java-archive    
spring-boot-starter-test             ${project.parent.version}  java-archive    
spring-boot-starter-validation       ${project.parent.version}  java-archive    
spring-boot-starter-web              ${project.parent.version}  java-archive    
spring-cloud-starter-openfeign       4.1.0                      java-archive    
springdoc-openapi-starter-webmvc-ui  2.3.0                      java-archive    
springmockk                          3.1.1                      java-archive

What you expected to happen:
All dependency versions should be resolved

Steps to reproduce the issue:

git clone https://github.com/willyw0nka/spring-boot-empty-project.git
syft spring-boot-empty-project

Anything else we need to know?:
The unresolved versions needed to be evaulated twice, but syft only evaluated them once. For example, in the project I tested the org.springframework.boot version is ${springboot.version} which resolves to ${project.parent.version} which then resolves to 3.2.4. Syft only evaluated the version once so the result is ${project.parent.version}.

This is the code responsible for resolving the packages version. Checking if version contains $ to call this recursively would solve the issue.

syft/syft/pkg/cataloger/java/parse_pom_xml.go

Line 113 in 21eaa5c

version := resolveProperty(pom, dep.Version, "version")

Environment:

• Output of syft version:

Application: syft
Version:    1.1.1
BuildDate:  2024-04-04T14:52:45Z
GitCommit:  1e31356c49bf2c30fd80c833482e1fbe4133ff83
GitDescription: v1.1.1
Platform:   linux/amd64
GoVersion:  go1.21.8
Compiler:   gc

• OS (e.g: cat /etc/os-release or similar):

NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.19.1
PRETTY_NAME="Alpine Linux v3.19"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://gitlab.alpinelinux.org/alpine/aports/-/issues"