Respect overrideTransitive=false in DependencyVulnerabilityCheck (#…

…130) * Respect `overrideTransitive=false` in `DependencyVulnerabilityCheck` * Verify that override transitive is disabled by default
openrewrite · Dec 5, 2024 · ef30eea · ef30eea
1 parent adabc83
commit ef30eea
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 6 deletions.
diff --git a/src/main/java/org/openrewrite/java/dependencies/DependencyVulnerabilityCheck.java b/src/main/java/org/openrewrite/java/dependencies/DependencyVulnerabilityCheck.java
@@ -264,7 +264,7 @@ public TreeVisitor<?, ExecutionContext> getVisitor(Accumulator acc) {
                             .getVisitor(acc.getDependencyAcc())
                             .visitNonNull(t, ctx);
                     String because = null;
-                    if (t2 == t) {
+                    if (t2 == t && overrideTransitive != null && overrideTransitive) {
                         because = because(vulnerabilities);
                         t2 = new UpgradeTransitiveDependencyVersion(gav.getGroupId(), gav.getArtifactId(), versionToRequest, scope, null, null, null, because, null, null, true)
                                 .getVisitor(acc.getTransitiveAcc())

diff --git a/src/test/java/org/openrewrite/java/dependencies/DependencyVulnerabilityCheckTest.java b/src/test/java/org/openrewrite/java/dependencies/DependencyVulnerabilityCheckTest.java
@@ -46,15 +46,15 @@ void gradleTransitive() {
             """
               plugins { id 'java' }
               repositories { mavenCentral() }
-              
+
               dependencies {
                   implementation 'org.openrewrite:rewrite-java:7.0.0'
               }
               """,
             """
               plugins { id 'java' }
               repositories { mavenCentral() }
-              
+
               dependencies {
                   constraints {
                       runtimeOnly('io.github.classgraph:classgraph:4.8.112') {
@@ -64,7 +64,7 @@ void gradleTransitive() {
                           because 'CVE-2020-36518, CVE-2021-46877, CVE-2022-42003, CVE-2022-42004'
                       }
                   }
-              
+
                   implementation 'org.openrewrite:rewrite-java:7.0.0'
               }
               """
@@ -82,15 +82,15 @@ void milestoneVersion() {
             """
               plugins { id 'java' }
               repositories { mavenCentral() }
-              
+
               dependencies {
                   implementation 'org.apache.tomcat.embed:tomcat-embed-core:10.0.0-M1'
               }
               """,
             """
               plugins { id 'java' }
               repositories { mavenCentral() }
-              
+
               dependencies {
                   implementation 'org.apache.tomcat.embed:tomcat-embed-core:10.0.27'
               }
@@ -190,6 +190,30 @@ void mavenTransitive() {
         );
     }
 
+    @Test
+    void mavenOverrideTransitiveDisabledByDefault() {
+        rewriteRun(
+          spec -> spec.recipe(new DependencyVulnerabilityCheck(null, null)),
+          //language=xml
+          pomXml(
+            """
+              <project>
+                <groupId>com.mycompany.app</groupId>
+                <artifactId>my-app</artifactId>
+                <version>1</version>
+                <dependencies>
+                  <dependency>
+                    <groupId>org.openrewrite</groupId>
+                    <artifactId>rewrite-java</artifactId>
+                    <version>7.0.0</version>
+                  </dependency>
+                </dependencies>
+              </project>
+              """
+          )
+        );
+    }
+
     @Test
     void maven() {
         rewriteRun(