From 5fd7399e229842cbf9fe48c816477489bae990af Mon Sep 17 00:00:00 2001
From: Gareth Jones <Jones258@Gmail.com>
Date: Fri, 1 Nov 2024 09:02:32 +1300
Subject: [PATCH] fix: process managed dependencies before standard
 dependencies when parsing `pom.xml`s (#279)

---
 pkg/lockfile/parse-maven-lock.go      | 6 +++---
 pkg/lockfile/parse-maven-lock_test.go | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/pkg/lockfile/parse-maven-lock.go b/pkg/lockfile/parse-maven-lock.go
index 6491b25e..671a53f9 100644
--- a/pkg/lockfile/parse-maven-lock.go
+++ b/pkg/lockfile/parse-maven-lock.go
@@ -115,7 +115,7 @@ func ParseMavenLock(pathToLockfile string) ([]PackageDetails, error) {
 
 	details := map[string]PackageDetails{}
 
-	for _, lockPackage := range parsedLockfile.Dependencies {
+	for _, lockPackage := range parsedLockfile.ManagedDependencies {
 		finalName := lockPackage.GroupID + ":" + lockPackage.ArtifactID
 
 		details[finalName] = PackageDetails{
@@ -126,8 +126,8 @@ func ParseMavenLock(pathToLockfile string) ([]PackageDetails, error) {
 		}
 	}
 
-	// managed dependencies take precedent over standard dependencies
-	for _, lockPackage := range parsedLockfile.ManagedDependencies {
+	// standard dependencies take precedent over managed dependencies
+	for _, lockPackage := range parsedLockfile.Dependencies {
 		finalName := lockPackage.GroupID + ":" + lockPackage.ArtifactID
 
 		details[finalName] = PackageDetails{
diff --git a/pkg/lockfile/parse-maven-lock_test.go b/pkg/lockfile/parse-maven-lock_test.go
index d7ef4c87..da8f05c1 100644
--- a/pkg/lockfile/parse-maven-lock_test.go
+++ b/pkg/lockfile/parse-maven-lock_test.go
@@ -101,7 +101,7 @@ func TestParseMavenLock_WithDependencyManagement(t *testing.T) {
 	expectPackages(t, packages, []lockfile.PackageDetails{
 		{
 			Name:      "io.netty:netty-all",
-			Version:   "4.1.42.Final",
+			Version:   "4.1.9",
 			Ecosystem: lockfile.MavenEcosystem,
 			CompareAs: lockfile.MavenEcosystem,
 		},