CM-64214: Fix missing dependency paths in Maven CLI scan

amitmoskovitz · claude · amitmoskovitz · commit a2799dd66e62 · 2026-05-18T17:22:59.000+03:00
Upgrade CycloneDX Maven plugin from 2.7.4 to 2.9.1 for more complete
dependency graphs, and fall back to dependency:tree when the generated
BOM has no dependency edges.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/cycode/cli/files_collector/sca/maven/restore_maven_dependencies.py b/cycode/cli/files_collector/sca/maven/restore_maven_dependencies.py
@@ -1,3 +1,4 @@
+import json
 from os import path
 from typing import Optional
 
@@ -16,6 +17,17 @@
 MAVEN_DEP_TREE_FILE_NAME = 'bcde.mvndeps'
 
 
+def _has_dependency_graph(bom_file_path: str) -> bool:
+    try:
+        content = get_file_content(bom_file_path)
+        if not content:
+            return False
+        bom = json.loads(content)
+        return any(dep.get('dependsOn') for dep in bom.get('dependencies', []))
+    except Exception:
+        return False
+
+
 class RestoreMavenDependencies(BaseRestoreDependencies):
     def __init__(self, ctx: typer.Context, is_git_diff: bool, command_timeout: int) -> None:
         super().__init__(ctx, is_git_diff, command_timeout)
@@ -24,7 +36,7 @@ def is_project(self, document: Document) -> bool:
         return path.basename(document.path).split('/')[-1] == BUILD_MAVEN_FILE_NAME
 
     def get_commands(self, manifest_file_path: str) -> list[list[str]]:
-        command = ['mvn', 'org.cyclonedx:cyclonedx-maven-plugin:2.7.4:makeAggregateBom', '-f', manifest_file_path]
+        command = ['mvn', 'org.cyclonedx:cyclonedx-maven-plugin:2.9.1:makeAggregateBom', '-f', manifest_file_path]
 
         maven_settings_file = self.ctx.obj.get('maven_settings_file')
         if maven_settings_file:
@@ -46,10 +58,12 @@ def try_restore_dependencies(self, document: Document) -> Optional[Document]:
         if restore_dependencies_document is None:
             return None
 
-        restore_dependencies_document.content = get_file_content(
-            join_paths(get_file_dir(manifest_file_path), self.get_lock_file_name())
-        )
+        bom_file_path = join_paths(get_file_dir(manifest_file_path), self.get_lock_file_name())
+
+        if not _has_dependency_graph(bom_file_path):
+            return self.restore_from_secondary_command(document, manifest_file_path)
 
+        restore_dependencies_document.content = get_file_content(bom_file_path)
         return restore_dependencies_document
 
     def restore_from_secondary_command(self, document: Document, manifest_file_path: str) -> Optional[Document]:
diff --git a/tests/cli/files_collector/sca/__init__.py b/tests/cli/files_collector/sca/__init__.py
diff --git a/tests/cli/files_collector/sca/test_restore_maven_dependencies.py b/tests/cli/files_collector/sca/test_restore_maven_dependencies.py
@@ -0,0 +1,136 @@
+import json
+import os
+import tempfile
+from unittest.mock import MagicMock, patch
+
+import pytest
+
+from cycode.cli.files_collector.sca.maven.restore_maven_dependencies import (
+    RestoreMavenDependencies,
+    _has_dependency_graph,
+)
+from cycode.cli.models import Document
+
+
+def _write_bom(tmp_dir: str, bom: dict) -> str:
+    bom_path = os.path.join(tmp_dir, 'bom.json')
+    with open(bom_path, 'w') as f:
+        json.dump(bom, f)
+    return bom_path
+
+
+class TestHasDependencyGraph:
+    def test_returns_false_when_file_does_not_exist(self) -> None:
+        assert _has_dependency_graph('/nonexistent/path/bom.json') is False
+
+    def test_returns_false_when_file_is_empty(self) -> None:
+        with tempfile.TemporaryDirectory() as tmp_dir:
+            bom_path = os.path.join(tmp_dir, 'bom.json')
+            open(bom_path, 'w').close()
+            assert _has_dependency_graph(bom_path) is False
+
+    def test_returns_false_when_dependencies_section_is_missing(self) -> None:
+        with tempfile.TemporaryDirectory() as tmp_dir:
+            bom_path = _write_bom(tmp_dir, {'components': [{'name': 'foo'}]})
+            assert _has_dependency_graph(bom_path) is False
+
+    def test_returns_false_when_all_dependencies_have_empty_dependsOn(self) -> None:
+        with tempfile.TemporaryDirectory() as tmp_dir:
+            bom = {'dependencies': [{'ref': 'pkg:maven/foo/bar@1.0', 'dependsOn': []}]}
+            bom_path = _write_bom(tmp_dir, bom)
+            assert _has_dependency_graph(bom_path) is False
+
+    def test_returns_false_when_dependencies_list_is_empty(self) -> None:
+        with tempfile.TemporaryDirectory() as tmp_dir:
+            bom_path = _write_bom(tmp_dir, {'dependencies': []})
+            assert _has_dependency_graph(bom_path) is False
+
+    def test_returns_true_when_at_least_one_dependency_has_dependsOn(self) -> None:
+        with tempfile.TemporaryDirectory() as tmp_dir:
+            bom = {
+                'dependencies': [
+                    {'ref': 'pkg:maven/com.example/root@1.0', 'dependsOn': ['pkg:maven/io.netty/netty-all@4.1.0']},
+                    {'ref': 'pkg:maven/io.netty/netty-all@4.1.0', 'dependsOn': []},
+                ]
+            }
+            bom_path = _write_bom(tmp_dir, bom)
+            assert _has_dependency_graph(bom_path) is True
+
+    def test_returns_false_when_bom_is_invalid_json(self) -> None:
+        with tempfile.TemporaryDirectory() as tmp_dir:
+            bom_path = os.path.join(tmp_dir, 'bom.json')
+            with open(bom_path, 'w') as f:
+                f.write('not valid json {{{')
+            assert _has_dependency_graph(bom_path) is False
+
+
+class TestRestoreMavenDependenciesFallback:
+    def _make_instance(self) -> RestoreMavenDependencies:
+        ctx = MagicMock()
+        ctx.obj = {}
+        return RestoreMavenDependencies(ctx=ctx, is_git_diff=False, command_timeout=60)
+
+    def test_falls_back_to_secondary_command_when_bom_has_no_dependency_graph(self) -> None:
+        instance = self._make_instance()
+        document = MagicMock(spec=Document)
+        document.content = 'some content'
+
+        with tempfile.TemporaryDirectory() as tmp_dir:
+            pom_path = os.path.join(tmp_dir, 'pom.xml')
+            open(pom_path, 'w').close()
+            bom_dir = os.path.join(tmp_dir, 'target')
+            os.makedirs(bom_dir)
+            _write_bom(bom_dir, {'dependencies': []})
+
+            fallback_doc = MagicMock(spec=Document)
+
+            with (
+                patch.object(instance, 'get_manifest_file_path', return_value=pom_path),
+                patch(
+                    'cycode.cli.files_collector.sca.maven.restore_maven_dependencies.BaseRestoreDependencies.try_restore_dependencies',
+                    return_value=MagicMock(spec=Document),
+                ),
+                patch.object(instance, 'restore_from_secondary_command', return_value=fallback_doc) as mock_fallback,
+            ):
+                result = instance.try_restore_dependencies(document)
+
+            mock_fallback.assert_called_once_with(document, pom_path)
+            assert result is fallback_doc
+
+    def test_returns_bom_document_when_dependency_graph_is_present(self) -> None:
+        instance = self._make_instance()
+        document = MagicMock(spec=Document)
+        document.content = 'some content'
+
+        with tempfile.TemporaryDirectory() as tmp_dir:
+            pom_path = os.path.join(tmp_dir, 'pom.xml')
+            open(pom_path, 'w').close()
+            bom_dir = os.path.join(tmp_dir, 'target')
+            os.makedirs(bom_dir)
+            bom = {
+                'dependencies': [
+                    {'ref': 'pkg:maven/com.example/root@1.0', 'dependsOn': ['pkg:maven/io.netty/netty@4.1.0']}
+                ]
+            }
+            _write_bom(bom_dir, bom)
+
+            base_doc = MagicMock(spec=Document)
+
+            with (
+                patch.object(instance, 'get_manifest_file_path', return_value=pom_path),
+                patch(
+                    'cycode.cli.files_collector.sca.maven.restore_maven_dependencies.BaseRestoreDependencies.try_restore_dependencies',
+                    return_value=base_doc,
+                ),
+                patch.object(instance, 'restore_from_secondary_command') as mock_fallback,
+            ):
+                result = instance.try_restore_dependencies(document)
+
+            mock_fallback.assert_not_called()
+            assert result is base_doc
+
+    def test_uses_plugin_version_2_9_1(self) -> None:
+        instance = self._make_instance()
+        commands = instance.get_commands('/path/to/pom.xml')
+        assert len(commands) == 1
+        assert 'org.cyclonedx:cyclonedx-maven-plugin:2.9.1:makeAggregateBom' in commands[0]
