feat: override packages with inaccurate pom.properties files (#764)

* feat: override packages with inaccurate pom.properties files

* feat: add addiional context on long term solution

* fix: lint

Author: bdemeo12

lib/analyzer/applications/java.ts

@@ -251,6 +251,16 @@ async function unpackJars(
   return fingerprints;
 }
 
+/**
+ * Packages with inaccurate pom.properties files return null so that the JAR
+ * will be resolved using the SHA lookup instead.
+ *
+ * Long-term solution: resolve all JARs via maven-deps to remove the need for overrides.
+ */
+const POM_PROPERTIES_OVERRIDES = new Set([
+  "com.microsoft.sqlserver:mssql-jdbc",
+]);
+
 /**
  * Gets coords from the contents of a pom.properties file
  * @param {string} fileContent
@@ -261,6 +271,10 @@ export function getCoordsFromPomProperties(
 ): JarCoords | null {
   const coords = parsePomProperties(fileContent);
 
+  if (POM_PROPERTIES_OVERRIDES.has(`${coords.groupId}:${coords.artifactId}`)) {
+    return null;
+  }
+
   // we need all of these props to allow us to inject the package
   // into the depGraph
   if (!coords.artifactId || !coords.groupId || !coords.version) {

test/fixtures/pom-properties/mssql-jdbc.pom.properties

@@ -0,0 +1,4 @@
+# Generated by Maven
+groupId=com.microsoft.sqlserver
+artifactId=mssql-jdbc
+version=12.10.2

test/lib/analyzer/java.spec.ts

@@ -114,4 +114,12 @@ describe("getCoordsFromPomProperties function", () => {
     const coords = getCoordsFromPomProperties(fixture);
     expect(coords).toBeNull();
   });
+
+  it("returns null for packages with inaccurate pom.properties (e.g. mssql-jdbc omits version classifier)", () => {
+    const fixture = getTextFromFixture(
+      "pom-properties/mssql-jdbc.pom.properties",
+    );
+    const coords = getCoordsFromPomProperties(fixture);
+    expect(coords).toBeNull();
+  });
 });