Add Maven dependency management to override client (#1140)

Currently, Maven dependency management is not added to the override
client so they are not considered when computing Maven dependency graph.

This PR adds all direct dependency management to override client so that
transitive dependencies are resolved correctly.

internal/manifest/fixtures/maven/transitive.xml

@@ -3,6 +3,16 @@
   <artifactId>my-app</artifactId>
   <version>1.0</version>
 
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>org.transitive</groupId>
+        <artifactId>frank</artifactId>
+        <version>4.4.4</version>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
+
   <dependencies>
     <dependency>
       <groupId>org.direct</groupId>
@@ -14,5 +24,10 @@
       <artifactId>bob</artifactId>
       <version>2.0.0</version>
     </dependency>
+    <dependency>
+      <groupId>org.direct</groupId>
+      <artifactId>chris</artifactId>
+      <version>3.0.0</version>
+    </dependency>
   </dependencies>
 </project>

internal/manifest/fixtures/universe/basic-universe.yaml

@@ -24,6 +24,9 @@ schema: |
   org.direct:bob
     2.0.0
       org.transitive:[email protected]
+  org.direct:chris
+    3.0.0
+      org.transitive:[email protected]
   org.eve:eve
     5.0.0
   org.frank:frank
@@ -52,3 +55,6 @@ schema: |
     1.1.1
     2.2.2
     3.3.3
+  org.transitive:frank
+    3.3.3
+    4.4.4

internal/manifest/maven.go

@@ -14,6 +14,7 @@ import (
 	mavenresolve "deps.dev/util/resolve/maven"
 	"github.com/google/osv-scanner/internal/resolution/client"
 	"github.com/google/osv-scanner/internal/resolution/datasource"
+	"github.com/google/osv-scanner/internal/resolution/manifest"
 	"github.com/google/osv-scanner/internal/resolution/util"
 	"github.com/google/osv-scanner/pkg/lockfile"
 	"golang.org/x/exp/maps"
@@ -66,7 +67,7 @@ func (e MavenResolverExtractor) Extract(f lockfile.DepFile) ([]lockfile.PackageD
 			VersionType: resolve.Concrete,
 			Version:     string(project.Version),
 		}}
-	reqs := make([]resolve.RequirementVersion, len(project.Dependencies))
+	reqs := make([]resolve.RequirementVersion, len(project.Dependencies)+len(project.DependencyManagement.Dependencies))
 	for i, d := range project.Dependencies {
 		reqs[i] = resolve.RequirementVersion{
 			VersionKey: resolve.VersionKey{
@@ -80,6 +81,19 @@ func (e MavenResolverExtractor) Extract(f lockfile.DepFile) ([]lockfile.PackageD
 			Type: resolve.MavenDepType(d, ""),
 		}
 	}
+	for i, d := range project.DependencyManagement.Dependencies {
+		reqs[len(project.Dependencies)+i] = resolve.RequirementVersion{
+			VersionKey: resolve.VersionKey{
+				PackageKey: resolve.PackageKey{
+					System: resolve.Maven,
+					Name:   d.Name(),
+				},
+				VersionType: resolve.Requirement,
+				Version:     string(d.Version),
+			},
+			Type: resolve.MavenDepType(d, manifest.OriginManagement),
+		}
+	}
 	overrideClient.AddVersion(root, reqs)
 
 	g, err := resolver.Resolve(ctx, root.VersionKey)

internal/manifest/maven_test.go

@@ -326,6 +326,12 @@ func TestParseMavenWithResolver_Transitive(t *testing.T) {
 			Ecosystem: lockfile.MavenEcosystem,
 			CompareAs: lockfile.MavenEcosystem,
 		},
+		{
+			Name:      "org.direct:chris",
+			Version:   "3.0.0",
+			Ecosystem: lockfile.MavenEcosystem,
+			CompareAs: lockfile.MavenEcosystem,
+		},
 		{
 			Name:      "org.transitive:chuck",
 			Version:   "1.1.1",
@@ -344,5 +350,11 @@ func TestParseMavenWithResolver_Transitive(t *testing.T) {
 			Ecosystem: lockfile.MavenEcosystem,
 			CompareAs: lockfile.MavenEcosystem,
 		},
+		{
+			Name:      "org.transitive:frank",
+			Version:   "4.4.4",
+			Ecosystem: lockfile.MavenEcosystem,
+			CompareAs: lockfile.MavenEcosystem,
+		},
 	})
 }