Skip to content
/ pombump Public

Playing around with a tool for updating POM dependencies

1 star 6 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

chainguard-dev/pombump

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

48 Commits
.github
.github
 
 
cmd/pombump
cmd/pombump
 
 
pkg
pkg
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

pombump

Programmatically manipulate maven (pom.xml) dependencies.

Overview

For easier patchability, add ways to selectively bump versions for dependencies.

The idea is just like gobump but for java.

Usage

The idea is that there are some patches that should be applied to the upstream pom.xml file. You can specify these via --dependencies flag, or via --patch-file. You can also update / add Properties using the --properties flag, or via --properties-file.

Specifying Dependencies to be patched

You can specify the patches that should be applied two ways. They are mutually exclusive, so you can only specify one of them at the time.

--dependencies flag

You can specify patches via --dependencies flag by encoding them (similarly to gobump) in the following format:

--dependencies="<groupID@artifactID@version[@scope[@type]]> <groupID...>"

So the groupID, artifactID, and version are required fields, and the scope, and type are optional fields. If omitted, scope defaults to import, and type defaults to jar.

--patch-file flag

You can specify a yaml file that contains the patches, which is the preferred way, because it's less errorprone, and allows for inline comments to keep track of which patches are for which CVEs. scope, and type are optional here as well. If omitted, scope defaults to import, and type defaults to jar.

An example yaml file looks like this:

patches:
  # CVE-2023-34062
  - groupID: io.projectreactor.netty
    artifactID: reactor-netty-http
    version: 1.0.39
    scope: import
    type: pom
  # CVE-2023-5072
  - groupId: org.json
    artifactId: json
    version: "20231013"
  # CVE-2023-6378
  - groupId: ch.qos.logback
    artifactId: logback-core
    version: "[1.4.12,2.0.0)"

Specifying Properties to be patched

You can specify the properties that should be modified two ways. They are mutually exclusive, so you can only specify one of them at the time.

--properties flag

You can specify the properties via --properties flag by encoding them in the (similarly to gobump) in the following format:

--properties="property@value property@value"

--properties-file flag

You can specify a yaml file that contains the properties that should be modified. This again is the preferred way for all the same reasons the --patch-file is the preferred way.

An example file looks like so:

properties:
  - property: "prop1"
    value: "value1"
  - property: "prop2"
    value: "value2"

Theory of operation

Patches

Once you have specified the patches, the tool will go through the pom.xml file and then for each patch the following happens:

  • If the patch is found in the dependencies section, it will be patched inline.
  • If the patch is found in the dependencyManagement.dependencies section, it will be patched inline.
  • Otherwise, it will be appended to the dependencyManagement.dependencies section.

Properties

They are either patched inline (if found), or added to the properties section.

About

Playing around with a tool for updating POM dependencies

Resources

Readme
Activity
Custom properties

Stars

1 star

Watchers

2 watching

Forks

6 forks
Report repository

Releases 13

v0.0.13 Latest
Jun 4, 2024
+ 12 releases

Packages

No packages published

Contributors 7

Languages