fix(java): correctly inherit properties from parent fields for pom.xml files

[DmitriyLewen]

Description

Maven has 2 "types" of properties:

• from Properties element
• from pom fields (e.g. project.version, parent.project.artifactID, etc.)

Maven priority (check next point if property is empty):

1. field property from pom file
2. field property from parent
3. property from property element of pom file (e.g. when property map contains explicitly stated property)
4. property from property element of parent file (e.g. when property map contains explicitly stated property)

Changes

We need to use properties from property element (current pom or parent poms (we merge them when resolving parents)) only if properties from fields are empty.

Example

See pom files in changed parent-child-properties test.

before:

{
  "Target": "pom.xml",
  "Class": "lang-pkgs",
  "Type": "pom",
  "Packages": [
    {
      "ID": "com.example:child:1.2.3",
      ...
      "Relationship": "root",
      "DependsOn": [
        "org.example:example-dependency:1.2.3"
      ],
      "Layer": {}
    },
    {
      "ID": "org.example:example-api3",
      ...
      "Relationship": "direct",
      "Locations": [
        {
          "StartLine": 30,
          "EndLine": 34
        }
      ]
    },
    {
      "ID": "org.example:example-dependency:1.2.3",
      ...
      "Relationship": "direct",
      "DependsOn": [
        "org.example:example-api:4.0.0"
      ],
      "Locations": [
        {
          "StartLine": 25,
          "EndLine": 29
        }
      ]
    },
    {
      "ID": "org.example:example-api:4.0.0",
      ...
      "Relationship": "indirect",
    }
  ]
}

after:

{
  "Target": "pom.xml",
  "Class": "lang-pkgs",
  "Type": "pom",
  "Packages": [
    {
      "ID": "com.example:child:1.2.3",
      ...
      "Relationship": "root",
      "DependsOn": [
        "org.example:example-api3:4.0.3",
        "org.example:example-dependency:1.2.3"
      ],
    },
    {
      "ID": "org.example:example-api3:4.0.3",
      ...
      "Relationship": "direct",
      "Locations": [
        {
          "StartLine": 30,
          "EndLine": 34
        }
      ]
    },
    {
      "ID": "org.example:example-dependency:1.2.3",
      ...
      "Relationship": "direct",
      "DependsOn": [
        "org.example:example-api:4.0.0"
      ],
      "Locations": [
        {
          "StartLine": 25,
          "EndLine": 29
        }
      ]
    },
    {
      "ID": "org.example:example-api:4.0.0",
      ...
      "Relationship": "indirect",
    }
  ]
}

mvn dep tree:

[INFO] com.example:child:jar:1.2.3
[INFO] +- org.example:example-dependency:jar:1.2.3:compile
[INFO] |  \- org.example:example-api:jar:4.0.0:compile
[INFO] \- org.example:example-api3:jar:4.0.3:compile

Related issues

• Close #9067

Checklist

• [x] I've read the guidelines for contributing to this repository.
• [x] I've followed the conventions in the PR title.
• [x] I've added tests that prove my fix is effective or that my feature works.
• [ ] I've updated the documentation with the relevant information (if needed).
• [ ] I've added usage information (if the PR introduces new options)
• [x] I've included a "before" and "after" example to the description (if the PR is a user interface change).

[SemProvoost]

@knqyf263 Any chance you can review this pull request? 😁 Original thread: https://github.com/aquasecurity/trivy/discussions/9039

[knqyf263]

We recently launched our partner program, and since several companies have already joined, we are currently prioritizing their requests. Once those tasks have settled down, we would like to review this PR.

[github-actions[bot]]

This PR is stale because it has been labeled with inactivity.