Retrieve remote licenses using pom.properties when there is no pom.xml

anchore · Nov 13, 2023 · d767db5 · d767db5
1 parent 7ccbadf
commit d767db5
Showing 1 changed file with 46 additions and 23 deletions.
diff --git a/syft/pkg/cataloger/java/archive_parser.go b/syft/pkg/cataloger/java/archive_parser.go
@@ -310,8 +310,24 @@ func (j *archiveParser) guessMainPackageNameAndVersionFromPomInfo() (name, versi
 	if version == "" && pomProjectObject != nil {
 		version = pomProjectObject.Version
 	}
-	if pomProjectObject != nil && j.cfg.UseNetwork {
-		findPomLicenses(pomProjectObject, j.cfg)
+	if j.cfg.UseNetwork {
+		if pomProjectObject != nil && pomProjectObject.Parent != nil && len(pomProjectObject.Licenses) == 0 {
+			// If we don't have any licenses until now, and if we have a parent Pom, then we'll check the parent pom in maven central for licenses.
+			parentLicenses := findPomLicenses(pomProjectObject.Parent.GroupID, pomProjectObject.Parent.ArtifactID, pomProjectObject.Parent.Version, j.cfg)
+			if len(parentLicenses) > 0 {
+				for _, licenseName := range parentLicenses {
+					pomProjectObject.Licenses = append(pomProjectObject.Licenses, pkg.NewLicenseFromFields(licenseName, "", nil))
+				}
+			}
+		} else if pomProjectObject == nil {
+			// If we have no pom,xml, check maven central using pom.properties
+			parentLicenses := findPomLicenses(pomPropertiesObject.GroupID, pomPropertiesObject.ArtifactID, pomPropertiesObject.Version, j.cfg)
+			if len(parentLicenses) > 0 {
+				for _, licenseName := range parentLicenses {
+					licenses = append(licenses, pkg.NewLicenseFromFields(licenseName, "", nil))
+				}
+			}
+		}
 	}
 
 	if pomProjectObject != nil {
@@ -328,25 +344,14 @@ func artifactIDMatchesFilename(artifactID, fileName string) bool {
 	return strings.HasPrefix(artifactID, fileName) || strings.HasSuffix(fileName, artifactID)
 }
 
-func findPomLicenses(pomProjectObject *parsedPomProject, cfg Config) {
-	// If we don't have any licenses until now, and if we have a parent Pom, then we'll check the parent pom in maven central for licenses.
-	if pomProjectObject != nil && pomProjectObject.Parent != nil && len(pomProjectObject.Licenses) == 0 {
-		parentLicenses, err := recursivelyFindLicensesFromParentPom(
-			pomProjectObject.Parent.GroupID,
-			pomProjectObject.Parent.ArtifactID,
-			pomProjectObject.Parent.Version,
-			cfg)
-		if err != nil {
-			// We don't want to abort here as the parent pom might not exist in Maven Central, we'll just log the error
-			log.Tracef("unable to get parent pom from Maven central: %v", err)
-			return
-		}
-		if len(parentLicenses) > 0 {
-			for _, licenseName := range parentLicenses {
-				pomProjectObject.Licenses = append(pomProjectObject.Licenses, pkg.NewLicenseFromFields(licenseName, "", nil))
-			}
-		}
+func findPomLicenses(groupID, artifactID, version string, cfg Config) []string {
+	parentLicenses, err := recursivelyFindLicensesFromParentPom(groupID, artifactID, version, cfg)
+	if err != nil {
+		// We don't want to abort here as the parent pom might not exist in Maven Central, we'll just log the error
+		log.Tracef("unable to get parent pom from Maven central: %v", err)
+		return []string{}
 	}
+	return parentLicenses
 }
 
 func formatMavenPomURL(groupID, artifactID, version, mavenBaseURL string) (requestURL string, err error) {
@@ -683,10 +688,28 @@ func newPackageFromMavenData(pomProperties pkg.JavaPomProperties, parsedPomProje
 
 	var pkgPomProject *pkg.JavaPomProject
 	licenses := make([]pkg.License, 0)
-	if parsedPomProject != nil {
-		if cfg.UseNetwork {
-			findPomLicenses(parsedPomProject, cfg)
+
+	if cfg.UseNetwork {
+		if parsedPomProject != nil && parsedPomProject.Parent != nil && len(parsedPomProject.Licenses) == 0 {
+			// If we don't have any licenses until now, and if we have a parent Pom, then we'll check the parent pom in maven central for licenses.
+			parentLicenses := findPomLicenses(parsedPomProject.Parent.GroupID, parsedPomProject.Parent.ArtifactID, parsedPomProject.Parent.Version, cfg)
+			if len(parentLicenses) > 0 {
+				for _, licenseName := range parentLicenses {
+					parsedPomProject.Licenses = append(parsedPomProject.Licenses, pkg.NewLicenseFromFields(licenseName, "", nil))
+				}
+			}
+		} else if parsedPomProject == nil {
+			// If we have no pom,xml, check maven central using pom.properties
+			parentLicenses := findPomLicenses(pomProperties.GroupID, pomProperties.ArtifactID, pomProperties.Version, cfg)
+			if len(parentLicenses) > 0 {
+				for _, licenseName := range parentLicenses {
+					licenses = append(licenses, pkg.NewLicenseFromFields(licenseName, "", nil))
+				}
+			}
 		}
+	}
+
+	if parsedPomProject != nil {
 		pkgPomProject = parsedPomProject.JavaPomProject
 		licenses = append(licenses, parsedPomProject.Licenses...)
 	}