diff --git a/maven/src/it/4397-metaversion-for-transitive-dependency/dep/pom.xml b/maven/src/it/4397-metaversion-for-transitive-dependency/dep/pom.xml
new file mode 100644
index 00000000000..ca05784847b
--- /dev/null
+++ b/maven/src/it/4397-metaversion-for-transitive-dependency/dep/pom.xml
@@ -0,0 +1,56 @@
+
+
+
+
+ 4.0.0
+
+ org.owasp.test
+ 4397-dependency-with-meta-transitive
+ 1.0-SNAPSHOT
+ jar
+
+ 4397-dependency-with-meta-transitive
+ Helper-project to play the role of dependency with transitive dependendencies
+ that use Maven's LATEST or RELEASE meta-versions.
+
+ An integration test similar to IT 3721-metaversion-dependencies, but with the RELEASE/LATEST meta-version
+ inside the pom of a transitive dependency
+
+
+
+ UTF-8
+ 8
+ 8
+
+
+
+
+ org.apache.commons
+ commons-compress
+ RELEASE
+
+
+ org.apache.commons
+ commons-pool2
+ LATEST
+
+
+
+
diff --git a/maven/src/it/4397-metaversion-for-transitive-dependency/invoker.properties b/maven/src/it/4397-metaversion-for-transitive-dependency/invoker.properties
new file mode 100644
index 00000000000..e644de1b9da
--- /dev/null
+++ b/maven/src/it/4397-metaversion-for-transitive-dependency/invoker.properties
@@ -0,0 +1,20 @@
+#
+# This file is part of dependency-check-maven.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Copyright (c) 2023 Hans Aikema. All Rights Reserved.
+#
+# Note: the first goals needs the -U in order to properly resolve the RELEASE / LATEST meta-versions
+invoker.goals.1 = install --no-transfer-progress --batch-mode -f dep/pom.xml -U
+invoker.goals.2 = verify --no-transfer-progress --batch-mode -Dcve.startyear=2018 -Danalyzer.ossindex.enabled=false -f main/pom.xml
\ No newline at end of file
diff --git a/maven/src/it/4397-metaversion-for-transitive-dependency/main/pom.xml b/maven/src/it/4397-metaversion-for-transitive-dependency/main/pom.xml
new file mode 100644
index 00000000000..a3f216ffbcf
--- /dev/null
+++ b/maven/src/it/4397-metaversion-for-transitive-dependency/main/pom.xml
@@ -0,0 +1,68 @@
+
+
+
+
+ 4.0.0
+
+ org.owasp.test
+ 4397-metaversion-transitive-dependencies
+ 1.0-SNAPSHOT
+ pom
+
+ 4397-metaversion-transitive-dependencies
+ An integration test similar to IT 3721-metaversion-dependencies, but with the RELEASE/LATEST meta-version
+ inside the pom of a transitive dependency
+
+
+ UTF-8
+ 8
+ 8
+
+
+
+
+ org.owasp.test
+ 4397-dependency-with-meta-transitive
+ 1.0-SNAPSHOT
+
+
+
+
+
+ org.owasp
+ dependency-check-maven
+ ${odc.version}
+ false
+
+ XML
+ false
+ true
+
+
+
+
+ check
+
+
+
+
+
+
+
diff --git a/maven/src/it/4397-metaversion-for-transitive-dependency/pom.xml b/maven/src/it/4397-metaversion-for-transitive-dependency/pom.xml
new file mode 100644
index 00000000000..10c0fffa14e
--- /dev/null
+++ b/maven/src/it/4397-metaversion-for-transitive-dependency/pom.xml
@@ -0,0 +1,26 @@
+
+
+
+ 4.0.0
+ org.owasp.test.aggregate
+ 4397-dummy
+ 1.0.0-SNAPSHOT
+ pom
+ Just an empty pom to make maven-invoker-plugin discover this integration test.
+
\ No newline at end of file
diff --git a/maven/src/it/4397-metaversion-for-transitive-dependency/postbuild.groovy b/maven/src/it/4397-metaversion-for-transitive-dependency/postbuild.groovy
new file mode 100644
index 00000000000..2f84c9eb904
--- /dev/null
+++ b/maven/src/it/4397-metaversion-for-transitive-dependency/postbuild.groovy
@@ -0,0 +1,46 @@
+/*
+ * This file is part of dependency-check-maven.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2023 Hans Aikema. All Rights Reserved.
+ */
+
+import org.apache.commons.io.FileUtils;
+import org.w3c.dom.NodeList;
+
+import java.nio.charset.Charset;
+import javax.xml.xpath.*
+import javax.xml.parsers.DocumentBuilderFactory
+
+def countMatches(String xml, String xpathQuery) {
+ def xpath = XPathFactory.newInstance().newXPath()
+ def builder = DocumentBuilderFactory.newInstance().newDocumentBuilder()
+ def inputStream = new ByteArrayInputStream( xml.bytes )
+ def records = builder.parse(inputStream).documentElement
+ NodeList nodes = xpath.evaluate( xpathQuery, records, XPathConstants.NODESET ) as NodeList
+ nodes.getLength();
+}
+
+String log = FileUtils.readFileToString(new File(basedir, "main/target/dependency-check-report.xml"), Charset.defaultCharset().name());
+int count = countMatches(log,"/analysis/dependencies/dependency/evidenceCollected/evidence[@type='product' and ./value = 'commons-compress' and ./name = 'artifactid']");
+if (count != 1){
+ System.out.println(String.format("commons-compress was identified %s times, expected 1", count));
+ return false;
+}
+count = countMatches(log,"/analysis/dependencies/dependency/evidenceCollected/evidence[@type='product' and ./value = 'commons-pool2' and ./name = 'artifactid']");
+if (count != 1){
+ System.out.println(String.format("commons-pool2 was identified %s times, expected 1", count));
+ return false;
+}
+return true;
diff --git a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
index 6d170de4b6d..e7dde01a8cb 100644
--- a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
+++ b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
@@ -1564,7 +1564,12 @@ private boolean sameArtifact(final ArtifactResult res, final Artifact unresolved
}
boolean result = Objects.equals(res.getArtifact().getGroupId(), unresolvedArtifact.getGroupId());
result &= Objects.equals(res.getArtifact().getArtifactId(), unresolvedArtifact.getArtifactId());
- result &= Objects.equals(res.getArtifact().getBaseVersion(), unresolvedArtifact.getBaseVersion());
+ // accept any version as matching "LATEST" and any non-snapshot version as matching "RELEASE" meta-version
+ if ("RELEASE".equals(unresolvedArtifact.getBaseVersion())) {
+ result &= !res.getArtifact().isSnapshot();
+ } else if (!"LATEST".equals(unresolvedArtifact.getBaseVersion())) {
+ result &= Objects.equals(res.getArtifact().getBaseVersion(), unresolvedArtifact.getBaseVersion());
+ }
result &= Objects.equals(res.getArtifact().getClassifier(), unresolvedArtifact.getClassifier());
result &= Objects.equals(res.getArtifact().getType(), unresolvedArtifact.getType());
return result;