You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Anything else we need to know?:
The unresolved versions needed to be evaulated twice, but syft only evaluated them once. For example, in the project I tested the org.springframework.boot version is ${springboot.version} which resolves to ${project.parent.version} which then resolves to 3.2.4. Syft only evaluated the version once so the result is ${project.parent.version}.
This is the code responsible for resolving the packages version. Checking if version contains $ to call this recursively would solve the issue.
What happened:
When running syft on a Java project, some variables are returted as package versions without being evaluated.
What you expected to happen:
All dependency versions should be resolved
Steps to reproduce the issue:
Anything else we need to know?:
The unresolved versions needed to be evaulated twice, but syft only evaluated them once. For example, in the project I tested the
org.springframework.boot
version is${springboot.version}
which resolves to${project.parent.version}
which then resolves to3.2.4
. Syft only evaluated the version once so the result is${project.parent.version}
.This is the code responsible for resolving the packages version. Checking if version contains
$
to call this recursively would solve the issue.syft/syft/pkg/cataloger/java/parse_pom_xml.go
Line 113 in 21eaa5c
Environment:
syft version
:cat /etc/os-release
or similar):The text was updated successfully, but these errors were encountered: