Refactor maven xml updater #1011
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Update MavenPackageUpdater to handle multiple Components - Loop through all Components and update each pom.xml file - Extracts file paths from Component.Location.File - Handles same vulnerability in multiple modules (e.g., backend + frontend) - All changes go into ONE PR (same vuln, same fix) - Update all tests to populate Components array with Location - Backward compatible: falls back to 'pom.xml' if no Components
- Remove backward compatibility fallback that masked bugs - If Components array is empty or missing Location data, fail explicitly - Better error message explains the issue is with scan results - Forces engine to always populate Components with Location - Prevents silent failures in multi-module projects
- Add constants for magic strings (separator, property prefix/suffix) - Extract parseMavenCoordinate() and toMavenCoordinate() helpers - Extract extractPropertyName() for property placeholder parsing - Remove all comments (code is self-documenting) - Simplify debug logs (no fmt.Sprintf) - DRY: no repetition anywhere - All tests still pass
- Better naming: matches ImpactedDependencyName field - parseDependencyName() / toDependencyName() - More accurate: we parse dependency names (groupId:artifactId), not coordinates (which include version)
- Replace encoding/xml with github.com/beevik/etree - Use DOM-based XML manipulation instead of unmarshal/marshal - Should preserve formatting, namespaces, and all XML attributes - All tests still pass - Need to test on real repo to verify formatting preservation
- Parse XML to understand structure (encoding/xml) - Use regex to replace ONLY the version text - Preserves ALL formatting, namespaces, blank lines, comments - Minimal diffs - only version numbers change - All tests pass - Ready for real-world testing
- Document all 5 test cases (simple, property, parent, depMgmt, multi-module) - Document engine limitations (parent POM resolution, non-standard pom names) - Document text-based replacement approach - Document multi-module support - Recommendations for engine team - Testing checklist
eyalk007
commented
Dec 28, 2025
Comment on lines
-150
to
+153
| if !repository.Params.FrogbotConfig.CreateAutoFixPr { | ||
| log.Info(fmt.Sprintf("This command is running in detection mode only. To enable automatic fixing of issues, set the '%s' flag under the repository's coniguration settings in Jfrog platform", createAutoFixPrConfigNameInProfile)) | ||
| return totalFindings, nil | ||
| } | ||
| //if !repository.Params.FrogbotConfig.CreateAutoFixPr { | ||
| // log.Info(fmt.Sprintf("This command is running in detection mode only. To enable automatic fixing of issues, set the '%s' flag under the repository's coniguration settings in Jfrog platform", createAutoFixPrConfigNameInProfile)) | ||
| // return totalFindings, nil | ||
| //} |
eyalk007
commented
Dec 28, 2025
Comment on lines
+83
to
+91
| func (mpu *MavenPackageUpdater) getPomPaths(vulnDetails *utils.VulnerabilityDetails) []string { | ||
| var pomPaths []string | ||
| for _, component := range vulnDetails.Components { | ||
| if component.Location != nil && component.Location.File != "" { | ||
| pomPaths = append(pomPaths, component.Location.File) | ||
| } | ||
| } | ||
| return pomPaths | ||
| } |
Collaborator
Author
There was a problem hiding this comment.
this gets all occurrences of a vulnerability (the exact package and version)
can be moved to a utils because multiple package updaters will use this logic
eyalk007
commented
Dec 28, 2025
| ) | ||
|
|
||
| const ( | ||
| mavenCoordinateSeparator = ":" |
Collaborator
Author
There was a problem hiding this comment.
can rename to package instead of coordinate
eyalk007
commented
Dec 28, 2025
| updated := false | ||
| newContent := content | ||
|
|
||
| if updated, newContent = mpu.updateInParent(&project, groupId, artifactId, fixedVersion, newContent); updated { |
Collaborator
Author
There was a problem hiding this comment.
currently not working because of the engine
eyalk007
commented
Dec 28, 2025
| return fmt.Errorf("dependency %s not found in %s", toDependencyName(groupId, artifactId), pomPath) | ||
| } | ||
|
|
||
| func (mpu *MavenPackageUpdater) SetCommonParams(serverDetails *config.ServerDetails, depsRepo string) {} |
Collaborator
Author
There was a problem hiding this comment.
will remove once common package handler is deprecated ( can add todo)
eyalk007
force-pushed
the
refactor-maven-xml-updater
branch
from
6c8a76c to
c2727a7
Compare
eyalk007
force-pushed
the
refactor-maven-xml-updater
branch
from
c2727a7 to
d10294c
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.