diff --git a/internal/manifest/fixtures/maven/transitive.xml b/internal/manifest/fixtures/maven/transitive.xml
index 2170738e33..52e416a0bc 100644
--- a/internal/manifest/fixtures/maven/transitive.xml
+++ b/internal/manifest/fixtures/maven/transitive.xml
@@ -3,6 +3,16 @@
my-app
1.0
+
+
+
+ org.transitive
+ frank
+ 4.4.4
+
+
+
+
org.direct
@@ -14,5 +24,10 @@
bob
2.0.0
+
+ org.direct
+ chris
+ 3.0.0
+
diff --git a/internal/manifest/fixtures/universe/basic-universe.yaml b/internal/manifest/fixtures/universe/basic-universe.yaml
index 3a23d791b3..2bf2b32724 100644
--- a/internal/manifest/fixtures/universe/basic-universe.yaml
+++ b/internal/manifest/fixtures/universe/basic-universe.yaml
@@ -24,6 +24,9 @@ schema: |
org.direct:bob
2.0.0
org.transitive:eve@3.3.3
+ org.direct:chris
+ 3.0.0
+ org.transitive:frank@3.3.3
org.eve:eve
5.0.0
org.frank:frank
@@ -52,3 +55,6 @@ schema: |
1.1.1
2.2.2
3.3.3
+ org.transitive:frank
+ 3.3.3
+ 4.4.4
diff --git a/internal/manifest/maven.go b/internal/manifest/maven.go
index 09b38d6736..7f792d2525 100644
--- a/internal/manifest/maven.go
+++ b/internal/manifest/maven.go
@@ -14,6 +14,7 @@ import (
mavenresolve "deps.dev/util/resolve/maven"
"github.com/google/osv-scanner/internal/resolution/client"
"github.com/google/osv-scanner/internal/resolution/datasource"
+ "github.com/google/osv-scanner/internal/resolution/manifest"
"github.com/google/osv-scanner/internal/resolution/util"
"github.com/google/osv-scanner/pkg/lockfile"
"golang.org/x/exp/maps"
@@ -66,7 +67,7 @@ func (e MavenResolverExtractor) Extract(f lockfile.DepFile) ([]lockfile.PackageD
VersionType: resolve.Concrete,
Version: string(project.Version),
}}
- reqs := make([]resolve.RequirementVersion, len(project.Dependencies))
+ reqs := make([]resolve.RequirementVersion, len(project.Dependencies)+len(project.DependencyManagement.Dependencies))
for i, d := range project.Dependencies {
reqs[i] = resolve.RequirementVersion{
VersionKey: resolve.VersionKey{
@@ -80,6 +81,19 @@ func (e MavenResolverExtractor) Extract(f lockfile.DepFile) ([]lockfile.PackageD
Type: resolve.MavenDepType(d, ""),
}
}
+ for i, d := range project.DependencyManagement.Dependencies {
+ reqs[len(project.Dependencies)+i] = resolve.RequirementVersion{
+ VersionKey: resolve.VersionKey{
+ PackageKey: resolve.PackageKey{
+ System: resolve.Maven,
+ Name: d.Name(),
+ },
+ VersionType: resolve.Requirement,
+ Version: string(d.Version),
+ },
+ Type: resolve.MavenDepType(d, manifest.OriginManagement),
+ }
+ }
overrideClient.AddVersion(root, reqs)
g, err := resolver.Resolve(ctx, root.VersionKey)
diff --git a/internal/manifest/maven_test.go b/internal/manifest/maven_test.go
index 29bad443cf..0b8e73048f 100644
--- a/internal/manifest/maven_test.go
+++ b/internal/manifest/maven_test.go
@@ -326,6 +326,12 @@ func TestParseMavenWithResolver_Transitive(t *testing.T) {
Ecosystem: lockfile.MavenEcosystem,
CompareAs: lockfile.MavenEcosystem,
},
+ {
+ Name: "org.direct:chris",
+ Version: "3.0.0",
+ Ecosystem: lockfile.MavenEcosystem,
+ CompareAs: lockfile.MavenEcosystem,
+ },
{
Name: "org.transitive:chuck",
Version: "1.1.1",
@@ -344,5 +350,11 @@ func TestParseMavenWithResolver_Transitive(t *testing.T) {
Ecosystem: lockfile.MavenEcosystem,
CompareAs: lockfile.MavenEcosystem,
},
+ {
+ Name: "org.transitive:frank",
+ Version: "4.4.4",
+ Ecosystem: lockfile.MavenEcosystem,
+ CompareAs: lockfile.MavenEcosystem,
+ },
})
}