chore: use correct method for finding missing versions of java PURLs (#1156)

benmss · web-flow · commit d2f3e39aa11f · 2025-08-19T09:23:55.000+10:00
Signed-off-by: Ben Selwyn-Smith &lt;benselwynsmith@googlemail.com&gt;
diff --git a/src/macaron/repo_finder/repo_finder_java.py b/src/macaron/repo_finder/repo_finder_java.py
@@ -51,10 +51,17 @@ def find_repo(self, purl: PackageURL) -> tuple[str, RepoFinderInfo]:
         artifact = purl.name
         version = purl.version or ""
 
+        outcome = RepoFinderInfo.FOUND
         if not version:
-            logger.debug("Version missing for maven artifact: %s:%s", group, artifact)
-            # TODO add support for Java artifacts without a version
-            return "", RepoFinderInfo.NO_VERSION_PROVIDED
+            # TODO: consider using a Maven specific method for finding missing versions.
+            logger.info("Version missing for maven artifact: %s:%s", group, artifact)
+            latest_purl, outcome = DepsDevRepoFinder().get_latest_version(purl)
+            if not latest_purl or not latest_purl.version:
+                logger.debug("Could not find version for artifact: %s:%s", purl.namespace, purl.name)
+                return "", RepoFinderInfo.NO_VERSION_PROVIDED
+            group = latest_purl.namespace or ""
+            artifact = latest_purl.name
+            version = latest_purl.version
 
         # Perform the following in a loop:
         # - Create URLs for the current artifact POM
@@ -64,19 +71,8 @@ def find_repo(self, purl: PackageURL) -> tuple[str, RepoFinderInfo]:
         # - Repeat
         limit = defaults.getint("repofinder.java", "parent_limit", fallback=10)
         initial_limit = limit
-        last_outcome = RepoFinderInfo.FOUND
+        last_outcome = outcome
         check_parents = defaults.getboolean("repofinder.java", "find_parents")
-
-        if not version:
-            logger.info("Version missing for maven artifact: %s:%s", group, artifact)
-            latest_purl, outcome = DepsDevRepoFinder().get_latest_version(purl)
-            if not latest_purl or not latest_purl.version:
-                logger.debug("Could not find version for artifact: %s:%s", purl.namespace, purl.name)
-                return "", outcome
-            group = latest_purl.namespace or ""
-            artifact = latest_purl.name
-            version = latest_purl.version
-
         while group and artifact and version and limit > 0:
             # Create the URLs for retrieving the artifact's POM.
             group = group.replace(".", "/")
diff --git a/tests/integration/cases/repo_finder_remote_calls/repo_finder.py b/tests/integration/cases/repo_finder_remote_calls/repo_finder.py
@@ -99,8 +99,12 @@ def test_repo_finder() -> int:
         return os.EX_UNAVAILABLE
 
     # Test Java package that has no version.
-    match, outcome = find_repo(PackageURL.from_string("pkg:maven/io.vertx/vertx-auth-common"))
-    if not match or outcome != RepoFinderInfo.FOUND:
+    # Disabling the latest version check ensures that only the missing version is retrieved, preventing the fallback
+    # functionality of using the non-Java method to find the version and repository.
+    match, outcome = find_repo(
+        PackageURL.from_string("pkg:maven/io.vertx/vertx-auth-common"), check_latest_version=False
+    )
+    if not match or outcome != RepoFinderInfo.FOUND_FROM_PARENT:
         return os.EX_UNAVAILABLE
 
     return os.EX_OK
