From b4b90cfe202138844a27110e9136859cbc20285c Mon Sep 17 00:00:00 2001
From: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
Date: Thu, 25 Jan 2024 13:25:38 +0600
Subject: [PATCH] feat(java): add support for line numbers for pom.xml files
 (#5991)

---
 docs/docs/coverage/language/java.md           | 13 ++++----
 go.mod                                        |  2 +-
 go.sum                                        |  4 +--
 .../analyzer/language/java/pom/pom_test.go    | 31 +++++++++++++++++++
 .../language/java/pom/testdata/happy/pom.xml  |  8 +++++
 5 files changed, 49 insertions(+), 9 deletions(-)

diff --git a/docs/docs/coverage/language/java.md b/docs/docs/coverage/language/java.md
index cf76d1ca5471..4043fc7e188f 100644
--- a/docs/docs/coverage/language/java.md
+++ b/docs/docs/coverage/language/java.md
@@ -11,11 +11,11 @@ Each artifact supports the following scanners:
 
 The following table provides an outline of the features Trivy offers.
 
-| Artifact         |    Internet access    | Dev dependencies | [Dependency graph][dependency-graph] |
-|------------------|:---------------------:|:----------------:|:------------------------------------:|
-| JAR/WAR/PAR/EAR  |     Trivy Java DB     |     Include      |                  -                   |
-| pom.xml          | Maven repository [^1] |     Exclude      |                  ✓                   |
-| *gradle.lockfile |           -           |     Exclude      |                  -                   |
+| Artifact         |    Internet access    | Dev dependencies | [Dependency graph][dependency-graph] | Position |
+|------------------|:---------------------:|:----------------:|:------------------------------------:|:--------:|
+| JAR/WAR/PAR/EAR  |     Trivy Java DB     |     Include      |                  -                   |    -     |
+| pom.xml          | Maven repository [^1] |     Exclude      |                  ✓                   |  ✓[^7]   |
+| *gradle.lockfile |           -           |     Exclude      |                  -                   |    -     |
 
 These may be enabled or disabled depending on the target.
 See [here](./index.md) for the detail.
@@ -46,7 +46,7 @@ If your machine doesn't have the necessary files - Trivy tries to find the infor
 
 !!! Note
     Trivy only takes information about packages. We don't take a list of vulnerabilities for packages from the `maven repository`.
-    Information about data sources for Java you can see [here](../../scanner/vulnerability.md#data-sources_1).
+    Information about data sources for Java you can see [here](../../scanner/vulnerability.md#data-sources-1).
 
 You can disable connecting to the maven repository with the `--offline-scan` flag.
 The `--offline-scan` flag does not affect the Trivy database.
@@ -67,5 +67,6 @@ It doesn't require the internet access.
 [^4]: e.g. when parent pom.xml file has `../pom.xml` path
 [^5]: When you use dependency path in `relativePath` field in pom.xml file
 [^6]: `/Users/<username>/.m2/repository` (for Linux and Mac) and `C:/Users/<username>/.m2/repository` (for Windows) by default
+[^7]: To avoid confusion, Trivy only finds locations for direct dependencies from the base pom.xml file.
 
 [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
\ No newline at end of file
diff --git a/go.mod b/go.mod
index 420f5e748bde..e36c08e265dc 100644
--- a/go.mod
+++ b/go.mod
@@ -14,7 +14,7 @@ require (
 	github.com/alicebob/miniredis/v2 v2.31.0
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
 	github.com/aquasecurity/defsec v0.94.1
-	github.com/aquasecurity/go-dep-parser v0.0.0-20231229070651-5f0903175562
+	github.com/aquasecurity/go-dep-parser v0.0.0-20240124102329-7be7d210a3d4
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
 	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
diff --git a/go.sum b/go.sum
index 6364a132f996..362a05d16330 100644
--- a/go.sum
+++ b/go.sum
@@ -328,8 +328,8 @@ github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
 github.com/aquasecurity/defsec v0.94.1 h1:lk44bfUltm0f0Dw4DbO3Ka9d/bf3N8cWclSdHXMyKF4=
 github.com/aquasecurity/defsec v0.94.1/go.mod h1:wiX9BX0SOG0ZWjVIPYGPl46fyO3Gu8lJnk4rmhFR7IA=
-github.com/aquasecurity/go-dep-parser v0.0.0-20231229070651-5f0903175562 h1:jdymGFJpArgx1ZZW7yqgCV8Tt+sEZ4jKxjQufPYRSXE=
-github.com/aquasecurity/go-dep-parser v0.0.0-20231229070651-5f0903175562/go.mod h1:B+gSaiuXV258CtyfBwFvG87+GE/FOh6W4N+LMuQxvVA=
+github.com/aquasecurity/go-dep-parser v0.0.0-20240124102329-7be7d210a3d4 h1:Ex+YahhZPTu0WF9IKngLr/oRWgW5TN9ed0n4Twsq2Hw=
+github.com/aquasecurity/go-dep-parser v0.0.0-20240124102329-7be7d210a3d4/go.mod h1:P0PmelcN1ABKJrDzRbPnn6hK7RvgI+xmjiV/9uPaNnY=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce/go.mod h1:HXgVzOPvXhVGLJs4ZKO817idqr/xhwsTcj17CLYY74s=
 github.com/aquasecurity/go-mock-aws v0.0.0-20240109054747-49e4b5da33cb h1:dNxUB2bSbiLGNYcXkbBKrrfuY96+dXhA9FahEFZ4THQ=
diff --git a/pkg/fanal/analyzer/language/java/pom/pom_test.go b/pkg/fanal/analyzer/language/java/pom/pom_test.go
index 9a5214e806e5..10cec453b863 100644
--- a/pkg/fanal/analyzer/language/java/pom/pom_test.go
+++ b/pkg/fanal/analyzer/language/java/pom/pom_test.go
@@ -29,11 +29,25 @@ func Test_pomAnalyzer_Analyze(t *testing.T) {
 						Type:     types.Pom,
 						FilePath: "testdata/happy/pom.xml",
 						Libraries: types.Packages{
+							{
+								ID:      "com.example:example-api:2.0.0",
+								Name:    "com.example:example-api",
+								Version: "2.0.0",
+								Locations: []types.Location{
+									{
+										StartLine: 28,
+										EndLine:   32,
+									},
+								},
+							},
 							{
 								ID:       "com.example:example:1.0.0",
 								Name:     "com.example:example",
 								Version:  "1.0.0",
 								Licenses: []string{"Apache-2.0"},
+								DependsOn: []string{
+									"com.example:example-api:2.0.0",
+								},
 							},
 						},
 					},
@@ -50,11 +64,25 @@ func Test_pomAnalyzer_Analyze(t *testing.T) {
 						Type:     types.Pom,
 						FilePath: "pom.xml",
 						Libraries: types.Packages{
+							{
+								ID:      "com.example:example-api:2.0.0",
+								Name:    "com.example:example-api",
+								Version: "2.0.0",
+								Locations: []types.Location{
+									{
+										StartLine: 28,
+										EndLine:   32,
+									},
+								},
+							},
 							{
 								ID:       "com.example:example:1.0.0",
 								Name:     "com.example:example",
 								Version:  "1.0.0",
 								Licenses: []string{"Apache-2.0"},
+								DependsOn: []string{
+									"com.example:example-api:2.0.0",
+								},
 							},
 						},
 					},
@@ -104,6 +132,9 @@ func Test_pomAnalyzer_Analyze(t *testing.T) {
 				Dir:      tt.inputDir,
 				FilePath: tt.inputFile,
 				Content:  f,
+				Options: analyzer.AnalysisOptions{
+					Offline: true,
+				},
 			})
 			if tt.wantErr != "" {
 				require.NotNil(t, err)
diff --git a/pkg/fanal/analyzer/language/java/pom/testdata/happy/pom.xml b/pkg/fanal/analyzer/language/java/pom/testdata/happy/pom.xml
index c4764b000af2..aa5f1066295c 100644
--- a/pkg/fanal/analyzer/language/java/pom/testdata/happy/pom.xml
+++ b/pkg/fanal/analyzer/language/java/pom/testdata/happy/pom.xml
@@ -23,4 +23,12 @@
             <url>https://github.com/knqyf263</url>
         </developer>
     </developers>
+
+    <dependencies>
+        <dependency>
+            <groupId>com.example</groupId>
+            <artifactId>example-api</artifactId>
+            <version>2.0.0</version>
+        </dependency>
+    </dependencies>
 </project>