Java: Handle multimodule projects in FileParser

lib/dependabot/file_parsers/java/maven.rb

@@ -17,13 +17,13 @@ class Maven < Dependabot::FileParsers::Base
 
         def parse
           dependency_set = DependencySet.new
-          dependency_set += pomfile_dependencies
+          pomfiles.each { |pom| dependency_set += pomfile_dependencies(pom) }
           dependency_set.dependencies
         end
 
         private
 
-        def pomfile_dependencies
+        def pomfile_dependencies(pom)
           dependency_set = DependencySet.new
 
           doc = Nokogiri::XML(pom.content)
@@ -36,7 +36,7 @@ def pomfile_dependencies
                 package_manager: "maven",
                 requirements: [{
                   requirement: dependency_requirement(dependency_node),
-                  file: "pom.xml",
+                  file: pom.name,
                   groups: [],
                   source: nil
                 }]
@@ -73,31 +73,40 @@ def dependency_requirement(dependency_node)
 
           return version_content unless version_content.match?(PROPERTY_REGEX)
 
-          property_name = version_content.match(PROPERTY_REGEX).
-                          named_captures.fetch("property")
-
-          doc = Nokogiri::XML(pom.content)
-          doc.remove_namespaces!
-          property_value =
-            if property_name.start_with?("project.")
-              path = "//project/#{property_name.gsub(/^project\./, '')}"
-              doc.at_xpath(path)&.content&.strip ||
-                doc.at_xpath("//properties/#{property_name}").content.strip
-            else
-              doc.at_xpath("//properties/#{property_name}").content.strip
-            end
+          prop_name = version_content.match(PROPERTY_REGEX).
+                      named_captures.fetch("property")
 
+          property_value = value_for_property(prop_name)
           version_content.gsub(PROPERTY_REGEX, property_value)
         end
 
-        def pom
-          @pom ||= get_original_file("pom.xml")
+        def value_for_property(property_name)
+          pomfiles.each do |pom|
+            doc = Nokogiri::XML(pom.content)
+            doc.remove_namespaces!
+
+            value =
+              if property_name.start_with?("project.")
+                path = "//project/#{property_name.gsub(/^project\./, '')}"
+                doc.at_xpath(path)&.content&.strip ||
+                  doc.at_xpath("//properties/#{property_name}")&.content&.strip
+              else
+                doc.at_xpath("//properties/#{property_name}")&.content&.strip
+              end
+
+            return value if value
+          end
+
+          raise "Property not found: #{prop_name}"
+        end
+
+        def pomfiles
+          @pomfiles ||=
+            dependency_files.select { |f| f.name.end_with?("pom.xml") }
         end
 
         def check_required_files
-          %w(pom.xml).each do |filename|
-            raise "No #{filename}!" unless get_original_file(filename)
-          end
+          raise "No pom.xml!" unless get_original_file("pom.xml")
         end
       end
     end

spec/dependabot/file_parsers/java/maven_spec.rb

@@ -317,9 +317,7 @@
     end
 
     context "with a repeated dependency" do
-      let(:pom_body) do
-        fixture("java", "poms", "repeated_pom.xml")
-      end
+      let(:pom_body) { fixture("java", "poms", "repeated_pom.xml") }
 
       its(:length) { is_expected.to eq(1) }
 
@@ -374,5 +372,79 @@
         end
       end
     end
+
+    context "with a repeated dependency" do
+      let(:files) do
+        [
+          multimodule_pom, util_pom, business_app_pom, legacy_pom, webapp_pom,
+          some_spring_project_pom
+        ]
+      end
+      let(:multimodule_pom) do
+        Dependabot::DependencyFile.new(
+          name: "pom.xml",
+          content: fixture("java", "poms", "multimodule_pom.xml")
+        )
+      end
+      let(:util_pom) do
+        Dependabot::DependencyFile.new(
+          name: "util/pom.xml",
+          content: fixture("java", "poms", "util_pom.xml")
+        )
+      end
+      let(:business_app_pom) do
+        Dependabot::DependencyFile.new(
+          name: "business-app/pom.xml",
+          content: fixture("java", "poms", "business_app_pom.xml")
+        )
+      end
+      let(:legacy_pom) do
+        Dependabot::DependencyFile.new(
+          name: "legacy/pom.xml",
+          content: fixture("java", "poms", "legacy_pom.xml")
+        )
+      end
+      let(:webapp_pom) do
+        Dependabot::DependencyFile.new(
+          name: "legacy/webapp/pom.xml",
+          content: fixture("java", "poms", "webapp_pom.xml")
+        )
+      end
+      let(:some_spring_project_pom) do
+        Dependabot::DependencyFile.new(
+          name: "legacy/some-spring-project/pom.xml",
+          content: fixture("java", "poms", "some_spring_project_pom.xml")
+        )
+      end
+
+      its(:length) { is_expected.to eq(8) }
+
+      describe "the first dependency" do
+        subject(:dependency) { dependencies.first }
+
+        it "has the right details" do
+          expect(dependency).to be_a(Dependabot::Dependency)
+          expect(dependency.name).
+            to eq("com.google.guava:guava")
+          expect(dependency.version).to eq("24.0-jre")
+          expect(dependency.requirements).to eq(
+            [
+              {
+                requirement: "24.0-jre",
+                file: "pom.xml",
+                groups: [],
+                source: nil
+              },
+              {
+                requirement: nil,
+                file: "util/pom.xml",
+                groups: [],
+                source: nil
+              }
+            ]
+          )
+        end
+      end
+    end
   end
 end

spec/fixtures/java/poms/business_app_pom.xml

@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <parent>
+        <artifactId>my-fantastic-project</artifactId>
+        <groupId>net.evenh.multimodule</groupId>
+        <version>1.0.0-SNAPSHOT</version>
+    </parent>
+    <modelVersion>4.0.0</modelVersion>
+
+    <artifactId>business-app</artifactId>
+
+    <dependencies>
+        <dependency>
+            <groupId>net.evenh.multimodule</groupId>
+            <artifactId>util</artifactId>
+        </dependency>
+
+        <!-- JUnit should just be updated here -->
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <version>4.10</version>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+</project>

spec/fixtures/java/poms/legacy_pom.xml

@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <parent>
+        <artifactId>my-fantastic-project</artifactId>
+        <groupId>net.evenh.multimodule</groupId>
+        <version>1.0.0-SNAPSHOT</version>
+    </parent>
+    <modelVersion>4.0.0</modelVersion>
+
+
+    <modules>
+        <module>webapp</module>
+        <module>some-spring-project</module>
+    </modules>
+
+    <packaging>pom</packaging>
+    <artifactId>legacy</artifactId>
+
+    <dependencies>
+        <dependency>
+            <groupId>net.evenh.multimodule</groupId>
+            <artifactId>util</artifactId>
+        </dependency>
+    </dependencies>
+</project>

spec/fixtures/java/poms/multimodule_pom.xml

@@ -11,7 +11,7 @@
     <modules>
         <module>util</module>
         <module>./business-app</module>
-        <module>legacy</module>
+        <module>legacy/pom.xml</module>
     </modules>
     <packaging>pom</packaging>
 

spec/fixtures/java/poms/some_spring_project_pom.xml

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <parent>
+        <artifactId>legacy</artifactId>
+        <groupId>net.evenh.multimodule</groupId>
+        <version>1.0.0-SNAPSHOT</version>
+    </parent>
+    <modelVersion>4.0.0</modelVersion>
+
+    <artifactId>some-spring-project</artifactId>
+
+    <dependencies>
+        <!-- Changes should be applied in root POM -->
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-aop</artifactId>
+            <version>${spring.version}</version>
+        </dependency>
+    </dependencies>
+</project>

spec/fixtures/java/poms/util_pom.xml

@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <parent>
+        <artifactId>my-fantastic-project</artifactId>
+        <groupId>net.evenh.multimodule</groupId>
+        <version>1.0.0-SNAPSHOT</version>
+    </parent>
+    <modelVersion>4.0.0</modelVersion>
+
+    <artifactId>util</artifactId>
+
+    <dependencies>
+        <!-- Guava is inherited from parent POM -->
+        <dependency>
+            <groupId>com.google.guava</groupId>
+            <artifactId>guava</artifactId>
+        </dependency>
+    </dependencies>
+</project>

spec/fixtures/java/poms/webapp_pom.xml

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <parent>
+        <artifactId>legacy</artifactId>
+        <groupId>net.evenh.multimodule</groupId>
+        <version>1.0.0-SNAPSHOT</version>
+    </parent>
+    <modelVersion>4.0.0</modelVersion>
+
+    <artifactId>webapp</artifactId>
+
+    <!-- Legacy dependencies that should be detected and updated here-->
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.struts</groupId>
+            <artifactId>struts-core</artifactId>
+            <version>1.3.5</version>
+        </dependency>
+    </dependencies>
+</project>