From 5625902f391e4b4f2cc57a8882cea507eba1cc72 Mon Sep 17 00:00:00 2001
From: Noah Santschi-Cooney <noah@santschi-cooney.ch>
Date: Thu, 21 May 2026 13:57:12 +0100
Subject: [PATCH 1/2] fix(maven): resolve version ranges in component analysis

Maven version ranges (e.g. `[1.2.17,1.3.0)`, `(1.0,2.0]`) in pom.xml
dependency versions are preserved verbatim by `mvn help:effective-pom`.
Component analysis uses the effective POM to extract dependency versions,
so range expressions end up as the version in the PackageURL. The backend
cannot look up vulnerabilities for a range-valued purl, so these
dependencies were silently dropped from analysis results.

Stack analysis was unaffected because it uses `mvn dependency:tree`,
which resolves ranges to concrete versions before output.

Add `resolveVersionRanges` to detect range-valued versions in the
effective POM output and resolve them by running
`mvn dependency:tree -DoutputType=text -Dscope=compile`, parsing the
direct dependencies (depth 1) to extract the concrete versions Maven
selects. The resolution is guarded: it only runs when at least one
dependency has a version range, and falls back to the original range
values if the tree invocation fails.

Ref: https://github.com/fabric8-analytics/fabric8-analytics-vscode-extension/issues/812

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .../providers/JavaMavenProvider.java          |  78 ++++++
 .../providers/Java_Maven_Provider_Test.java   |  45 +++-
 .../maven/deps_with_version_range/depTree.txt |   3 +
 .../deps_with_version_range/effectivePom.xml  | 252 ++++++++++++++++++
 .../expected_component_sbom.json              |  51 ++++
 .../expected_stack_sbom.json                  |  51 ++++
 .../maven/deps_with_version_range/pom.xml     |  22 ++
 7 files changed, 497 insertions(+), 5 deletions(-)
 create mode 100644 src/test/resources/tst_manifests/maven/deps_with_version_range/depTree.txt
 create mode 100644 src/test/resources/tst_manifests/maven/deps_with_version_range/effectivePom.xml
 create mode 100644 src/test/resources/tst_manifests/maven/deps_with_version_range/expected_component_sbom.json
 create mode 100644 src/test/resources/tst_manifests/maven/deps_with_version_range/expected_stack_sbom.json
 create mode 100644 src/test/resources/tst_manifests/maven/deps_with_version_range/pom.xml

diff --git a/src/main/java/io/github/guacsec/trustifyda/providers/JavaMavenProvider.java b/src/main/java/io/github/guacsec/trustifyda/providers/JavaMavenProvider.java
index da01e03b..7b798b33 100644
--- a/src/main/java/io/github/guacsec/trustifyda/providers/JavaMavenProvider.java
+++ b/src/main/java/io/github/guacsec/trustifyda/providers/JavaMavenProvider.java
@@ -36,6 +36,7 @@
 import java.nio.file.Paths;
 import java.util.ArrayList;
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
@@ -228,6 +229,7 @@ private Content generateSbomFromEffectivePom() throws IOException {
             .filter(DependencyAggregator::isTestDependency)
             .collect(Collectors.toSet());
     var deps = getDependencies(tmpEffPom);
+    deps = resolveVersionRanges(deps);
     var sbom = SbomFactory.newInstance().addRoot(getRoot(tmpEffPom), readLicenseFromManifest());
     deps.stream()
         .filter(dep -> !testsDeps.contains(dep))
@@ -239,6 +241,82 @@ private Content generateSbomFromEffectivePom() throws IOException {
     return new Content(sbom.getAsJsonString().getBytes(), Api.CYCLONEDX_MEDIA_TYPE);
   }
 
+  /**
+   * Checks whether the given version string is a Maven version range expression (starts with '[' or
+   * '(').
+   */
+  private static boolean isVersionRange(String version) {
+    if (version == null || version.isEmpty()) return false;
+    char first = version.charAt(0);
+    return first == '[' || first == '(';
+  }
+
+  /**
+   * Resolves Maven version ranges by running the dependency tree plugin and replacing range
+   * expressions with concrete resolved versions. If no version ranges are present, the original
+   * list is returned unchanged. On failure, the original list is returned with a warning logged.
+   */
+  private List<DependencyAggregator> resolveVersionRanges(List<DependencyAggregator> deps)
+      throws IOException {
+    // Short-circuit: if no dep has a version range, return unchanged
+    boolean hasRanges = deps.stream().anyMatch(d -> isVersionRange(d.version));
+    if (!hasRanges) {
+      return deps;
+    }
+
+    Path tmpFile = Files.createTempFile("TRUSTIFY_DA_range_tree_", ".txt");
+    try {
+      var cmd =
+          buildMvnCommandArgs(
+              "org.apache.maven.plugins:maven-dependency-plugin:3.6.0:tree",
+              "-Dscope=compile",
+              "-DoutputType=text",
+              String.format("-DoutputFile=%s", tmpFile.toString()),
+              "-f",
+              manifestPath.toString(),
+              "--batch-mode",
+              "-q");
+      Operations.runProcess(manifestPath.getParent(), cmd.toArray(String[]::new), getMvnExecEnvs());
+
+      // Read the dependency tree output and build a lookup map of resolved versions
+      List<String> lines = Files.readAllLines(tmpFile);
+      Map<String, String> resolvedVersions = new HashMap<>();
+      for (String line : lines) {
+        if (getDepth(line) == 1) {
+          DependencyAggregator resolved = parseDep(line);
+          resolvedVersions.put(resolved.groupId + ":" + resolved.artifactId, resolved.version);
+        }
+      }
+
+      // Replace version ranges with resolved concrete versions
+      for (DependencyAggregator dep : deps) {
+        if (isVersionRange(dep.version)) {
+          String key = dep.groupId + ":" + dep.artifactId;
+          String resolved = resolvedVersions.get(key);
+          if (resolved != null) {
+            if (debugLoggingIsNeeded()) {
+              log.info(
+                  String.format(
+                      "Resolved version range for %s: %s -> %s", key, dep.version, resolved));
+            }
+            dep.version = resolved;
+          }
+        }
+      }
+    } catch (Exception e) {
+      log.warning(
+          String.format(
+              "Failed to resolve version ranges via dependency tree, "
+                  + "using original versions: %s",
+              e.getMessage()));
+      return deps;
+    } finally {
+      Files.deleteIfExists(tmpFile);
+    }
+
+    return deps;
+  }
+
   private PackageURL getRoot(final Path manifestPath) throws IOException {
     XMLStreamReader reader = null;
     try {
diff --git a/src/test/java/io/github/guacsec/trustifyda/providers/Java_Maven_Provider_Test.java b/src/test/java/io/github/guacsec/trustifyda/providers/Java_Maven_Provider_Test.java
index ed70a06d..22e21060 100644
--- a/src/test/java/io/github/guacsec/trustifyda/providers/Java_Maven_Provider_Test.java
+++ b/src/test/java/io/github/guacsec/trustifyda/providers/Java_Maven_Provider_Test.java
@@ -56,7 +56,8 @@ static Stream<String> testFolders() {
         "deps_with_ignore_on_version",
         "deps_with_ignore_on_wrong",
         "deps_with_no_ignore",
-        "pom_deps_with_no_ignore_common_paths");
+        "pom_deps_with_no_ignore_common_paths",
+        "deps_with_version_range");
   }
 
   @ParameterizedTest
@@ -143,12 +144,29 @@ void test_the_provideComponent(String testFolder) throws IOException {
             getClass(), String.format("tst_manifests/maven/%s/effectivePom.xml", testFolder))) {
       effectivePom = new String(is.readAllBytes());
     }
+
+    String depTree;
+    try (var is =
+        getResourceAsStreamDecision(
+            getClass(), String.format("tst_manifests/maven/%s/depTree.txt", testFolder))) {
+      depTree = new String(is.readAllBytes());
+    }
+
     try (MockedStatic<Operations> mockedOperations = mockStatic(Operations.class)) {
       mockedOperations
           .when(() -> Operations.runProcess(any(), any(), any()))
           .thenAnswer(
-              invocationOnMock ->
-                  getOutputFileAndOverwriteItWithMock(effectivePom, invocationOnMock, "-Doutput"));
+              invocationOnMock -> {
+                String result =
+                    getOutputFileAndOverwriteItWithMock(
+                        effectivePom, invocationOnMock, "-Doutput=");
+                if (result == null) {
+                  result =
+                      getOutputFileAndOverwriteItWithMock(
+                          depTree, invocationOnMock, "-DoutputFile");
+                }
+                return result;
+              });
       // Mock Operations.getCustomPathOrElse to return "mvn"
       mockedOperations.when(() -> Operations.getCustomPathOrElse(anyString())).thenReturn("mvn");
       mockedOperations
@@ -189,12 +207,29 @@ void test_the_provideComponent_With_Path(String testFolder) throws IOException {
             getClass(), String.format("tst_manifests/maven/%s/effectivePom.xml", testFolder))) {
       effectivePom = new String(is.readAllBytes());
     }
+
+    String depTree;
+    try (var is =
+        getResourceAsStreamDecision(
+            getClass(), String.format("tst_manifests/maven/%s/depTree.txt", testFolder))) {
+      depTree = new String(is.readAllBytes());
+    }
+
     try (MockedStatic<Operations> mockedOperations = mockStatic(Operations.class)) {
       mockedOperations
           .when(() -> Operations.runProcess(any(), any(), any()))
           .thenAnswer(
-              invocationOnMock ->
-                  getOutputFileAndOverwriteItWithMock(effectivePom, invocationOnMock, "-Doutput"));
+              invocationOnMock -> {
+                String result =
+                    getOutputFileAndOverwriteItWithMock(
+                        effectivePom, invocationOnMock, "-Doutput=");
+                if (result == null) {
+                  result =
+                      getOutputFileAndOverwriteItWithMock(
+                          depTree, invocationOnMock, "-DoutputFile");
+                }
+                return result;
+              });
       // Mock Operations.getCustomPathOrElse to return "mvn"
       mockedOperations.when(() -> Operations.getCustomPathOrElse(anyString())).thenReturn("mvn");
       mockedOperations
diff --git a/src/test/resources/tst_manifests/maven/deps_with_version_range/depTree.txt b/src/test/resources/tst_manifests/maven/deps_with_version_range/depTree.txt
new file mode 100644
index 00000000..761020ff
--- /dev/null
+++ b/src/test/resources/tst_manifests/maven/deps_with_version_range/depTree.txt
@@ -0,0 +1,3 @@
+pom-with-deps-version-range:pom-with-version-range-for-tests:jar:0.0.1
++- log4j:log4j:jar:1.2.17:compile
+\- org.xerial.snappy:snappy-java:jar:1.1.10.0:compile
diff --git a/src/test/resources/tst_manifests/maven/deps_with_version_range/effectivePom.xml b/src/test/resources/tst_manifests/maven/deps_with_version_range/effectivePom.xml
new file mode 100644
index 00000000..15f020c9
--- /dev/null
+++ b/src/test/resources/tst_manifests/maven/deps_with_version_range/effectivePom.xml
@@ -0,0 +1,252 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- ====================================================================== -->
+<!--                                                                        -->
+<!-- Generated by Maven Help Plugin                                         -->
+<!-- See: https://maven.apache.org/plugins/maven-help-plugin/               -->
+<!--                                                                        -->
+<!-- ====================================================================== -->
+<!-- ====================================================================== -->
+<!--                                                                        -->
+<!-- Effective POM for project                                              -->
+<!-- 'pom-with-deps-version-range:pom-with-version-range-for-tests:jar:0.0.1' -->
+<!--                                                                        -->
+<!-- ====================================================================== -->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <groupId>pom-with-deps-version-range</groupId>
+  <artifactId>pom-with-version-range-for-tests</artifactId>
+  <version>0.0.1</version>
+  <dependencies>
+    <dependency>
+      <groupId>log4j</groupId>
+      <artifactId>log4j</artifactId>
+      <version>[1.2.17,1.3.0)</version>
+      <scope>compile</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.xerial.snappy</groupId>
+      <artifactId>snappy-java</artifactId>
+      <version>1.1.10.0</version>
+      <scope>compile</scope>
+    </dependency>
+  </dependencies>
+  <repositories>
+    <repository>
+      <snapshots>
+        <enabled>false</enabled>
+      </snapshots>
+      <id>central</id>
+      <name>Central Repository</name>
+      <url>https://repo.maven.apache.org/maven2</url>
+    </repository>
+  </repositories>
+  <pluginRepositories>
+    <pluginRepository>
+      <releases>
+        <updatePolicy>never</updatePolicy>
+      </releases>
+      <snapshots>
+        <enabled>false</enabled>
+      </snapshots>
+      <id>central</id>
+      <name>Central Repository</name>
+      <url>https://repo.maven.apache.org/maven2</url>
+    </pluginRepository>
+  </pluginRepositories>
+  <build>
+    <sourceDirectory>/home/zgrinber/git/trustify-da-java-client/src/test/resources/tst_manifests/maven/deps_with_version_range/src/main/java</sourceDirectory>
+    <scriptSourceDirectory>/home/zgrinber/git/trustify-da-java-client/src/test/resources/tst_manifests/maven/deps_with_version_range/src/main/scripts</scriptSourceDirectory>
+    <testSourceDirectory>/home/zgrinber/git/trustify-da-java-client/src/test/resources/tst_manifests/maven/deps_with_version_range/src/test/java</testSourceDirectory>
+    <outputDirectory>/home/zgrinber/git/trustify-da-java-client/src/test/resources/tst_manifests/maven/deps_with_version_range/target/classes</outputDirectory>
+    <testOutputDirectory>/home/zgrinber/git/trustify-da-java-client/src/test/resources/tst_manifests/maven/deps_with_version_range/target/test-classes</testOutputDirectory>
+    <resources>
+      <resource>
+        <directory>/home/zgrinber/git/trustify-da-java-client/src/test/resources/tst_manifests/maven/deps_with_version_range/src/main/resources</directory>
+      </resource>
+    </resources>
+    <testResources>
+      <testResource>
+        <directory>/home/zgrinber/git/trustify-da-java-client/src/test/resources/tst_manifests/maven/deps_with_version_range/src/test/resources</directory>
+      </testResource>
+    </testResources>
+    <directory>/home/zgrinber/git/trustify-da-java-client/src/test/resources/tst_manifests/maven/deps_with_version_range/target</directory>
+    <finalName>pom-with-version-range-for-tests-0.0.1</finalName>
+    <pluginManagement>
+      <plugins>
+        <plugin>
+          <artifactId>maven-antrun-plugin</artifactId>
+          <version>1.3</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-assembly-plugin</artifactId>
+          <version>2.2-beta-5</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-dependency-plugin</artifactId>
+          <version>2.8</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-release-plugin</artifactId>
+          <version>2.5.3</version>
+        </plugin>
+      </plugins>
+    </pluginManagement>
+    <plugins>
+      <plugin>
+        <artifactId>maven-clean-plugin</artifactId>
+        <version>2.5</version>
+        <executions>
+          <execution>
+            <id>default-clean</id>
+            <phase>clean</phase>
+            <goals>
+              <goal>clean</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+      <plugin>
+        <artifactId>maven-resources-plugin</artifactId>
+        <version>2.6</version>
+        <executions>
+          <execution>
+            <id>default-testResources</id>
+            <phase>process-test-resources</phase>
+            <goals>
+              <goal>testResources</goal>
+            </goals>
+          </execution>
+          <execution>
+            <id>default-resources</id>
+            <phase>process-resources</phase>
+            <goals>
+              <goal>resources</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+      <plugin>
+        <artifactId>maven-jar-plugin</artifactId>
+        <version>2.4</version>
+        <executions>
+          <execution>
+            <id>default-jar</id>
+            <phase>package</phase>
+            <goals>
+              <goal>jar</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+      <plugin>
+        <artifactId>maven-compiler-plugin</artifactId>
+        <version>3.1</version>
+        <executions>
+          <execution>
+            <id>default-compile</id>
+            <phase>compile</phase>
+            <goals>
+              <goal>compile</goal>
+            </goals>
+          </execution>
+          <execution>
+            <id>default-testCompile</id>
+            <phase>test-compile</phase>
+            <goals>
+              <goal>testCompile</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+      <plugin>
+        <artifactId>maven-surefire-plugin</artifactId>
+        <version>2.12.4</version>
+        <executions>
+          <execution>
+            <id>default-test</id>
+            <phase>test</phase>
+            <goals>
+              <goal>test</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+      <plugin>
+        <artifactId>maven-install-plugin</artifactId>
+        <version>2.4</version>
+        <executions>
+          <execution>
+            <id>default-install</id>
+            <phase>install</phase>
+            <goals>
+              <goal>install</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+      <plugin>
+        <artifactId>maven-deploy-plugin</artifactId>
+        <version>2.7</version>
+        <executions>
+          <execution>
+            <id>default-deploy</id>
+            <phase>deploy</phase>
+            <goals>
+              <goal>deploy</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+      <plugin>
+        <artifactId>maven-site-plugin</artifactId>
+        <version>3.3</version>
+        <executions>
+          <execution>
+            <id>default-site</id>
+            <phase>site</phase>
+            <goals>
+              <goal>site</goal>
+            </goals>
+            <configuration>
+              <outputDirectory>/home/zgrinber/git/trustify-da-java-client/src/test/resources/tst_manifests/maven/deps_with_version_range/target/site</outputDirectory>
+              <reportPlugins>
+                <reportPlugin>
+                  <groupId>org.apache.maven.plugins</groupId>
+                  <artifactId>maven-project-info-reports-plugin</artifactId>
+                </reportPlugin>
+              </reportPlugins>
+            </configuration>
+          </execution>
+          <execution>
+            <id>default-deploy</id>
+            <phase>site-deploy</phase>
+            <goals>
+              <goal>deploy</goal>
+            </goals>
+            <configuration>
+              <outputDirectory>/home/zgrinber/git/trustify-da-java-client/src/test/resources/tst_manifests/maven/deps_with_version_range/target/site</outputDirectory>
+              <reportPlugins>
+                <reportPlugin>
+                  <groupId>org.apache.maven.plugins</groupId>
+                  <artifactId>maven-project-info-reports-plugin</artifactId>
+                </reportPlugin>
+              </reportPlugins>
+            </configuration>
+          </execution>
+        </executions>
+        <configuration>
+          <outputDirectory>/home/zgrinber/git/trustify-da-java-client/src/test/resources/tst_manifests/maven/deps_with_version_range/target/site</outputDirectory>
+          <reportPlugins>
+            <reportPlugin>
+              <groupId>org.apache.maven.plugins</groupId>
+              <artifactId>maven-project-info-reports-plugin</artifactId>
+            </reportPlugin>
+          </reportPlugins>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+  <reporting>
+    <outputDirectory>/home/zgrinber/git/trustify-da-java-client/src/test/resources/tst_manifests/maven/deps_with_version_range/target/site</outputDirectory>
+  </reporting>
+</project>
diff --git a/src/test/resources/tst_manifests/maven/deps_with_version_range/expected_component_sbom.json b/src/test/resources/tst_manifests/maven/deps_with_version_range/expected_component_sbom.json
new file mode 100644
index 00000000..753f4abe
--- /dev/null
+++ b/src/test/resources/tst_manifests/maven/deps_with_version_range/expected_component_sbom.json
@@ -0,0 +1,51 @@
+{
+  "bomFormat" : "CycloneDX",
+  "specVersion" : "1.4",
+  "version" : 1,
+  "metadata" : {
+    "timestamp" : "2025-04-09T12:15:45Z",
+    "component" : {
+      "type" : "application",
+      "bom-ref" : "pkg:maven/pom-with-deps-version-range/pom-with-version-range-for-tests@0.0.1",
+      "group" : "pom-with-deps-version-range",
+      "name" : "pom-with-version-range-for-tests",
+      "version" : "0.0.1",
+      "purl" : "pkg:maven/pom-with-deps-version-range/pom-with-version-range-for-tests@0.0.1"
+    }
+  },
+  "components" : [
+    {
+      "type" : "library",
+      "bom-ref" : "pkg:maven/log4j/log4j@1.2.17",
+      "group" : "log4j",
+      "name" : "log4j",
+      "version" : "1.2.17",
+      "purl" : "pkg:maven/log4j/log4j@1.2.17"
+    },
+    {
+      "type" : "library",
+      "bom-ref" : "pkg:maven/org.xerial.snappy/snappy-java@1.1.10.0",
+      "group" : "org.xerial.snappy",
+      "name" : "snappy-java",
+      "version" : "1.1.10.0",
+      "purl" : "pkg:maven/org.xerial.snappy/snappy-java@1.1.10.0"
+    }
+  ],
+  "dependencies" : [
+    {
+      "ref" : "pkg:maven/pom-with-deps-version-range/pom-with-version-range-for-tests@0.0.1",
+      "dependsOn" : [
+        "pkg:maven/log4j/log4j@1.2.17",
+        "pkg:maven/org.xerial.snappy/snappy-java@1.1.10.0"
+      ]
+    },
+    {
+      "ref" : "pkg:maven/log4j/log4j@1.2.17",
+      "dependsOn" : [ ]
+    },
+    {
+      "ref" : "pkg:maven/org.xerial.snappy/snappy-java@1.1.10.0",
+      "dependsOn" : [ ]
+    }
+  ]
+}
\ No newline at end of file
diff --git a/src/test/resources/tst_manifests/maven/deps_with_version_range/expected_stack_sbom.json b/src/test/resources/tst_manifests/maven/deps_with_version_range/expected_stack_sbom.json
new file mode 100644
index 00000000..fc3489fb
--- /dev/null
+++ b/src/test/resources/tst_manifests/maven/deps_with_version_range/expected_stack_sbom.json
@@ -0,0 +1,51 @@
+{
+  "bomFormat" : "CycloneDX",
+  "specVersion" : "1.4",
+  "version" : 1,
+  "metadata" : {
+    "timestamp" : "2025-04-09T12:14:35Z",
+    "component" : {
+      "type" : "application",
+      "bom-ref" : "pkg:maven/pom-with-deps-version-range/pom-with-version-range-for-tests@0.0.1",
+      "group" : "pom-with-deps-version-range",
+      "name" : "pom-with-version-range-for-tests",
+      "version" : "0.0.1",
+      "purl" : "pkg:maven/pom-with-deps-version-range/pom-with-version-range-for-tests@0.0.1"
+    }
+  },
+  "components" : [
+    {
+      "type" : "library",
+      "bom-ref" : "pkg:maven/log4j/log4j@1.2.17",
+      "group" : "log4j",
+      "name" : "log4j",
+      "version" : "1.2.17",
+      "purl" : "pkg:maven/log4j/log4j@1.2.17"
+    },
+    {
+      "type" : "library",
+      "bom-ref" : "pkg:maven/org.xerial.snappy/snappy-java@1.1.10.0",
+      "group" : "org.xerial.snappy",
+      "name" : "snappy-java",
+      "version" : "1.1.10.0",
+      "purl" : "pkg:maven/org.xerial.snappy/snappy-java@1.1.10.0"
+    }
+  ],
+  "dependencies" : [
+    {
+      "ref" : "pkg:maven/pom-with-deps-version-range/pom-with-version-range-for-tests@0.0.1",
+      "dependsOn" : [
+        "pkg:maven/log4j/log4j@1.2.17",
+        "pkg:maven/org.xerial.snappy/snappy-java@1.1.10.0"
+      ]
+    },
+    {
+      "ref" : "pkg:maven/log4j/log4j@1.2.17",
+      "dependsOn" : [ ]
+    },
+    {
+      "ref" : "pkg:maven/org.xerial.snappy/snappy-java@1.1.10.0",
+      "dependsOn" : [ ]
+    }
+  ]
+}
\ No newline at end of file
diff --git a/src/test/resources/tst_manifests/maven/deps_with_version_range/pom.xml b/src/test/resources/tst_manifests/maven/deps_with_version_range/pom.xml
new file mode 100644
index 00000000..cb277e06
--- /dev/null
+++ b/src/test/resources/tst_manifests/maven/deps_with_version_range/pom.xml
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <groupId>pom-with-deps-version-range</groupId>
+  <artifactId>pom-with-version-range-for-tests</artifactId>
+  <version>0.0.1</version>
+
+  <dependencies>
+    <dependency>
+      <groupId>log4j</groupId>
+      <artifactId>log4j</artifactId>
+      <version>[1.2.17,1.3.0)</version>
+    </dependency>
+    <dependency>
+      <groupId>org.xerial.snappy</groupId>
+      <artifactId>snappy-java</artifactId>
+      <version>1.1.10.0</version>
+    </dependency>
+  </dependencies>
+</project>

From 6ef8aa98b7a0f815b27b76b256ca37e1d3221e2d Mon Sep 17 00:00:00 2001
From: Noah Santschi-Cooney <noah@santschi-cooney.ch>
Date: Wed, 3 Jun 2026 13:48:13 +0100
Subject: [PATCH 2/2] fix(maven): address PR #491 review feedback

- Extract DEP_TREE_PLUGIN constant to avoid duplicated GAV string
- Wrap Files.deleteIfExists in finally block with try/catch to prevent
  IOException from violating the "return original list" fallback contract
- Log full exception (with stack trace) instead of just e.getMessage()
- Replace absolute filesystem paths in effectivePom.xml fixture with
  relative paths
- Add failure-path test verifying graceful fallback when dependency:tree
  invocation fails

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .../providers/JavaMavenProvider.java          | 18 +++++---
 .../providers/Java_Maven_Provider_Test.java   | 43 +++++++++++++++++++
 .../deps_with_version_range/effectivePom.xml  | 24 +++++------
 3 files changed, 68 insertions(+), 17 deletions(-)

diff --git a/src/main/java/io/github/guacsec/trustifyda/providers/JavaMavenProvider.java b/src/main/java/io/github/guacsec/trustifyda/providers/JavaMavenProvider.java
index 7b798b33..dd0464b0 100644
--- a/src/main/java/io/github/guacsec/trustifyda/providers/JavaMavenProvider.java
+++ b/src/main/java/io/github/guacsec/trustifyda/providers/JavaMavenProvider.java
@@ -41,6 +41,7 @@
 import java.util.Map;
 import java.util.Objects;
 import java.util.Optional;
+import java.util.logging.Level;
 import java.util.logging.Logger;
 import java.util.stream.Collectors;
 import javax.xml.stream.XMLInputFactory;
@@ -60,6 +61,8 @@ public final class JavaMavenProvider extends BaseJavaProvider {
   private final String mvnExecutable;
   private static final String MVN = Operations.isWindows() ? "mvn.cmd" : "mvn";
   private static final String ARG_VERSION = "-v";
+  private static final String DEP_TREE_PLUGIN =
+      "org.apache.maven.plugins:maven-dependency-plugin:3.6.0:tree";
 
   public JavaMavenProvider(Path manifest) {
     super(Type.MAVEN, manifest);
@@ -136,7 +139,7 @@ public Content provideStack() throws IOException {
     var mvnTreeCmdArgs =
         new ArrayList<>(
             List.of(
-                "org.apache.maven.plugins:maven-dependency-plugin:3.6.0:tree",
+                DEP_TREE_PLUGIN,
                 "-Dscope=compile",
                 "-Dverbose",
                 "-DoutputType=text",
@@ -268,7 +271,7 @@ private List<DependencyAggregator> resolveVersionRanges(List<DependencyAggregato
     try {
       var cmd =
           buildMvnCommandArgs(
-              "org.apache.maven.plugins:maven-dependency-plugin:3.6.0:tree",
+              DEP_TREE_PLUGIN,
               "-Dscope=compile",
               "-DoutputType=text",
               String.format("-DoutputFile=%s", tmpFile.toString()),
@@ -304,14 +307,19 @@ private List<DependencyAggregator> resolveVersionRanges(List<DependencyAggregato
         }
       }
     } catch (Exception e) {
-      log.warning(
+      log.log(
+          Level.WARNING,
           String.format(
               "Failed to resolve version ranges via dependency tree, "
                   + "using original versions: %s",
-              e.getMessage()));
+              e.getMessage()),
+          e);
       return deps;
     } finally {
-      Files.deleteIfExists(tmpFile);
+      try {
+        Files.deleteIfExists(tmpFile);
+      } catch (IOException ignored) {
+      }
     }
 
     return deps;
diff --git a/src/test/java/io/github/guacsec/trustifyda/providers/Java_Maven_Provider_Test.java b/src/test/java/io/github/guacsec/trustifyda/providers/Java_Maven_Provider_Test.java
index 22e21060..1a982ece 100644
--- a/src/test/java/io/github/guacsec/trustifyda/providers/Java_Maven_Provider_Test.java
+++ b/src/test/java/io/github/guacsec/trustifyda/providers/Java_Maven_Provider_Test.java
@@ -30,6 +30,7 @@
 import java.util.Arrays;
 import java.util.Optional;
 import java.util.stream.Stream;
+import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.MethodSource;
@@ -244,6 +245,48 @@ void test_the_provideComponent_With_Path(String testFolder) throws IOException {
     }
   }
 
+  @Test
+  void test_provideComponent_fallsBack_when_depTree_fails() throws IOException {
+    String testFolder = "deps_with_version_range";
+
+    var targetPom = resolveFile(String.format("tst_manifests/maven/%s/pom.xml", testFolder));
+
+    String effectivePom;
+    try (var is =
+        getResourceAsStreamDecision(
+            getClass(), String.format("tst_manifests/maven/%s/effectivePom.xml", testFolder))) {
+      effectivePom = new String(is.readAllBytes());
+    }
+
+    try (MockedStatic<Operations> mockedOperations = mockStatic(Operations.class)) {
+      mockedOperations
+          .when(() -> Operations.runProcess(any(), any(), any()))
+          .thenAnswer(
+              invocationOnMock -> {
+                String result =
+                    getOutputFileAndOverwriteItWithMock(
+                        effectivePom, invocationOnMock, "-Doutput=");
+                if (result == null) {
+                  throw new IOException("Simulated dependency:tree failure");
+                }
+                return result;
+              });
+      mockedOperations.when(() -> Operations.getCustomPathOrElse(anyString())).thenReturn("mvn");
+      mockedOperations
+          .when(() -> Operations.getExecutable(anyString(), anyString()))
+          .thenReturn("mvn");
+
+      var content = new JavaMavenProvider(targetPom).provideComponent();
+
+      assertThat(content.type).isEqualTo(Api.CYCLONEDX_MEDIA_TYPE);
+      String sbom = new String(content.buffer);
+      assertThat(sbom).contains("log4j");
+      assertThat(sbom).contains("snappy-java");
+      // Version range should remain unresolved since dep tree failed
+      assertThat(sbom).contains("[1.2.17,1.3.0)");
+    }
+  }
+
   private String dropIgnored(String s) {
     return s.replaceAll("\\s+", "").replaceAll("\"timestamp\":\"[a-zA-Z0-9\\-\\:]+\",", "");
   }
diff --git a/src/test/resources/tst_manifests/maven/deps_with_version_range/effectivePom.xml b/src/test/resources/tst_manifests/maven/deps_with_version_range/effectivePom.xml
index 15f020c9..341881bd 100644
--- a/src/test/resources/tst_manifests/maven/deps_with_version_range/effectivePom.xml
+++ b/src/test/resources/tst_manifests/maven/deps_with_version_range/effectivePom.xml
@@ -54,22 +54,22 @@
     </pluginRepository>
   </pluginRepositories>
   <build>
-    <sourceDirectory>/home/zgrinber/git/trustify-da-java-client/src/test/resources/tst_manifests/maven/deps_with_version_range/src/main/java</sourceDirectory>
-    <scriptSourceDirectory>/home/zgrinber/git/trustify-da-java-client/src/test/resources/tst_manifests/maven/deps_with_version_range/src/main/scripts</scriptSourceDirectory>
-    <testSourceDirectory>/home/zgrinber/git/trustify-da-java-client/src/test/resources/tst_manifests/maven/deps_with_version_range/src/test/java</testSourceDirectory>
-    <outputDirectory>/home/zgrinber/git/trustify-da-java-client/src/test/resources/tst_manifests/maven/deps_with_version_range/target/classes</outputDirectory>
-    <testOutputDirectory>/home/zgrinber/git/trustify-da-java-client/src/test/resources/tst_manifests/maven/deps_with_version_range/target/test-classes</testOutputDirectory>
+    <sourceDirectory>src/main/java</sourceDirectory>
+    <scriptSourceDirectory>src/main/scripts</scriptSourceDirectory>
+    <testSourceDirectory>src/test/java</testSourceDirectory>
+    <outputDirectory>target/classes</outputDirectory>
+    <testOutputDirectory>target/test-classes</testOutputDirectory>
     <resources>
       <resource>
-        <directory>/home/zgrinber/git/trustify-da-java-client/src/test/resources/tst_manifests/maven/deps_with_version_range/src/main/resources</directory>
+        <directory>src/main/resources</directory>
       </resource>
     </resources>
     <testResources>
       <testResource>
-        <directory>/home/zgrinber/git/trustify-da-java-client/src/test/resources/tst_manifests/maven/deps_with_version_range/src/test/resources</directory>
+        <directory>src/test/resources</directory>
       </testResource>
     </testResources>
-    <directory>/home/zgrinber/git/trustify-da-java-client/src/test/resources/tst_manifests/maven/deps_with_version_range/target</directory>
+    <directory>target</directory>
     <finalName>pom-with-version-range-for-tests-0.0.1</finalName>
     <pluginManagement>
       <plugins>
@@ -208,7 +208,7 @@
               <goal>site</goal>
             </goals>
             <configuration>
-              <outputDirectory>/home/zgrinber/git/trustify-da-java-client/src/test/resources/tst_manifests/maven/deps_with_version_range/target/site</outputDirectory>
+              <outputDirectory>target/site</outputDirectory>
               <reportPlugins>
                 <reportPlugin>
                   <groupId>org.apache.maven.plugins</groupId>
@@ -224,7 +224,7 @@
               <goal>deploy</goal>
             </goals>
             <configuration>
-              <outputDirectory>/home/zgrinber/git/trustify-da-java-client/src/test/resources/tst_manifests/maven/deps_with_version_range/target/site</outputDirectory>
+              <outputDirectory>target/site</outputDirectory>
               <reportPlugins>
                 <reportPlugin>
                   <groupId>org.apache.maven.plugins</groupId>
@@ -235,7 +235,7 @@
           </execution>
         </executions>
         <configuration>
-          <outputDirectory>/home/zgrinber/git/trustify-da-java-client/src/test/resources/tst_manifests/maven/deps_with_version_range/target/site</outputDirectory>
+          <outputDirectory>target/site</outputDirectory>
           <reportPlugins>
             <reportPlugin>
               <groupId>org.apache.maven.plugins</groupId>
@@ -247,6 +247,6 @@
     </plugins>
   </build>
   <reporting>
-    <outputDirectory>/home/zgrinber/git/trustify-da-java-client/src/test/resources/tst_manifests/maven/deps_with_version_range/target/site</outputDirectory>
+    <outputDirectory>target/site</outputDirectory>
   </reporting>
 </project>