java-dependency-analyzer 1.0.0__py3-none-any.whl

java_dependency_analyzer/reporters/templates/report.html

@@ -0,0 +1,406 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>Java Dependency Vulnerability Report</title>
+<style>
+  body { font-family: 'Segoe UI', Arial, sans-serif; margin: 0; padding: 20px; background: #f5f5f5; color: #333; }
+  h1 { color: #2c3e50; border-bottom: 3px solid #e74c3c; padding-bottom: 10px; }
+  h2 { color: #2c3e50; margin-top: 30px; }
+  .summary { display: flex; gap: 20px; flex-wrap: wrap; margin: 20px 0; }
+  .card {
+    background: #fff; border-radius: 8px; padding: 20px; min-width: 150px;
+    box-shadow: 0 2px 4px rgba(0,0,0,.1); text-align: center;
+    cursor: pointer; transition: box-shadow 0.2s, transform 0.15s, border 0.15s;
+    border: 2px solid transparent; user-select: none;
+  }
+  .card:hover { box-shadow: 0 4px 14px rgba(0,0,0,.18); transform: translateY(-2px); }
+  .card.active { border-color: #2980b9; box-shadow: 0 0 0 3px rgba(41,128,185,.25); }
+  .card .number { font-size: 2.5em; font-weight: bold; }
+  .card.danger .number { color: #e74c3c; }
+  .card.warning .number { color: #f39c12; }
+  .card.safe .number { color: #27ae60; }
+  .card .label { font-size: 0.85em; color: #666; margin-top: 4px; }
+  .meta { color: #666; font-size: 0.9em; margin-bottom: 20px; }
+  .filter-notice {
+    display: none; background: #eaf3fb; border-left: 4px solid #2980b9;
+    padding: 8px 14px; margin-bottom: 12px; border-radius: 4px;
+    font-size: 0.9em; color: #2c3e50;
+  }
+  .filter-notice.visible { display: flex; align-items: center; gap: 10px; }
+  .filter-notice button {
+    background: none; border: none; color: #2980b9; cursor: pointer;
+    font-size: 0.95em; padding: 0; text-decoration: underline;
+  }
+  table { width: 100%; border-collapse: collapse; background: #fff; border-radius: 8px; overflow: hidden; box-shadow: 0 2px 4px rgba(0,0,0,.1); }
+  thead { background: #2c3e50; color: #fff; }
+  th, td { padding: 12px 16px; text-align: left; border-bottom: 1px solid #eee; }
+  tr:last-child td { border-bottom: none; }
+  tr:hover td { background: #f9f9f9; }
+  tr.hidden { display: none; }
+  .badge { display: inline-block; padding: 2px 8px; border-radius: 4px; font-size: 0.8em; font-weight: bold; }
+  .badge-critical { background: #e74c3c; color: #fff; }
+  .badge-high { background: #e67e22; color: #fff; }
+  .badge-medium { background: #f39c12; color: #fff; }
+  .badge-low { background: #3498db; color: #fff; }
+  .badge-unknown { background: #95a5a6; color: #fff; }
+  .no-vulns { color: #27ae60; font-style: italic; }
+  a { color: #2980b9; text-decoration: none; }
+  a:hover { text-decoration: underline; }
+  details summary { cursor: pointer; font-weight: bold; color: #2c3e50; }
+  .vuln-row { background: #fff8f8; }
+  .vuln-cve { font-family: monospace; font-weight: bold; }
+  .footer { margin-top: 40px; text-align: center; color: #aaa; font-size: 0.8em; }
+  /* Dependency tree visuals */
+  .dep-name { white-space: nowrap; }
+  .dep-root > a { font-weight: 600; color: #2c3e50; }
+  .dep-root-dot { color: #2c3e50; margin-right: 6px; font-size: 1.1em; }
+  .tree-prefix { font-family: 'Courier New', monospace; color: #bbb; font-size: 0.9em; letter-spacing: 0; white-space: pre; }
+  .tree-connector { color: #aaa; font-family: 'Courier New', monospace; margin-right: 4px; }
+  tr[data-depth="0"] td:first-child { background: #fafafa; }
+  tr[data-depth="1"] td:first-child { background: #f5f8ff; }
+  tr[data-depth="2"] td:first-child { background: #f0f5ff; }
+  /* Collapsible tree */
+  .collapsed-hidden { display: none; }
+  .collapse-toggle {
+    display: inline-block; width: 16px; text-align: center;
+    cursor: pointer; color: #999; font-size: 0.85em;
+    user-select: none; margin-right: 2px;
+    transition: transform 0.15s;
+  }
+  .collapse-toggle:hover { color: #2980b9; }
+  .tree-controls { display: flex; gap: 8px; margin-bottom: 10px; }
+  .btn-tree {
+    background: #fff; border: 1px solid #ccc; border-radius: 4px;
+    padding: 4px 12px; font-size: 0.85em; cursor: pointer; color: #2c3e50;
+    transition: background 0.15s, border-color 0.15s;
+  }
+  .btn-tree:hover { background: #eaf3fb; border-color: #2980b9; color: #2980b9; }
+</style>
+</head>
+<body>
+<h1>Java Dependency Vulnerability Report</h1>
+<p class="meta">
+  <strong>Source:</strong> {{ result.source_file }}&nbsp;&nbsp;
+  <strong>Scanned at:</strong> {{ result.scanned_at }}
+</p>
+
+<h2>Summary</h2>
+<div class="summary">
+  <div class="card active" data-filter="all">
+    <div class="number">{{ result.total_dependencies }}</div>
+    <div class="label">Total Dependencies</div>
+  </div>
+  <div class="card {% if result.total_vulnerabilities > 0 %}danger{% else %}safe{% endif %}" data-filter="has-vulns">
+    <div class="number">{{ result.total_vulnerabilities }}</div>
+    <div class="label">Total Vulnerabilities</div>
+  </div>
+  <div class="card {% if result.vulnerable_dependencies|length > 0 %}warning{% else %}safe{% endif %}" data-filter="vuln-deps">
+    <div class="number">{{ result.vulnerable_dependencies|length }}</div>
+    <div class="label">Vulnerable Dependencies</div>
+  </div>
+</div>
+
+{% if result.total_vulnerabilities == 0 %}
+<p style="color: #27ae60; font-size: 1.1em;">&#x2714; No vulnerabilities found across all dependencies.</p>
+{% endif %}
+
+<h2>Dependency Tree</h2>
+<div class="filter-notice" id="filter-notice">
+  <span id="filter-notice-text"></span>
+  <button onclick="resetFilter()">Show all</button>
+</div>
+<div id="dep-tree-section">
+<div class="tree-controls" id="tree-controls">
+  <button class="btn-tree" onclick="expandAll()">Expand All</button>
+  <button class="btn-tree" onclick="collapseAll()">Collapse All</button>
+</div>
+<table id="dep-table">
+  <thead>
+    <tr>
+      <th>Dependency</th>
+      <th>Version</th>
+      <th>Scope</th>
+      <th>Vulnerabilities</th>
+    </tr>
+  </thead>
+  <tbody>
+    {% for dep in all_deps %}
+    <tr class="dep-row" data-depth="{{ dep.depth }}" data-vuln-count="{{ dep.vulnerabilities | length }}">
+      <td class="dep-name">
+        {% if dep.depth == 0 %}
+          <span class="dep-root">
+            <span class="dep-root-dot">&#9679;</span>
+            <a href="https://repo1.maven.org/maven2/{{ dep.group_id | replace('.', '/') }}/{{ dep.artifact_id }}/{{ dep.version }}/"
+               target="_blank" rel="noopener noreferrer">{{ dep.group_id }}:{{ dep.artifact_id }}</a>
+          </span>
+        {% else %}
+          <span class="tree-prefix">{{ '    ' * (dep.depth - 1) }}</span><span class="tree-connector">└─</span><a href="https://repo1.maven.org/maven2/{{ dep.group_id | replace('.', '/') }}/{{ dep.artifact_id }}/{{ dep.version }}/"
+             target="_blank" rel="noopener noreferrer">{{ dep.group_id }}:{{ dep.artifact_id }}</a>
+        {% endif %}
+      </td>
+      <td>{{ dep.version }}</td>
+      <td>{{ dep.scope }}</td>
+      <td>
+        {% if dep.vulnerabilities %}
+          {% for vuln in dep.vulnerabilities %}
+          <details>
+            <summary>
+              <span class="vuln-cve">{{ vuln.cve_id }}</span>
+              <span class="badge badge-{{ vuln.severity | lower | replace('cvss', '') | replace(' ', '') | truncate(8, true, '') }}">
+                {{ vuln.severity }}
+              </span>
+            </summary>
+            <p>{{ vuln.summary }}</p>
+            {% if vuln.affected_versions %}
+            <p><strong>Affected versions:</strong> {{ vuln.affected_versions | join(', ') }}</p>
+            {% endif %}
+            {% if vuln.reference_url %}
+            <p><a href="{{ vuln.reference_url }}" target="_blank" rel="noopener noreferrer">
+              More info &rarr;
+            </a></p>
+            {% endif %}
+            <p><em>Source: {{ vuln.source }}</em></p>
+          </details>
+          {% endfor %}
+        {% else %}
+          <span class="no-vulns">None found</span>
+        {% endif %}
+      </td>
+    </tr>
+    {% endfor %}
+  </tbody>
+</table>
+</div><!-- #dep-tree-section -->
+
+<div id="vuln-list-section" style="display:none;">
+  {% if result.vulnerable_dependencies %}
+  <table>
+    <thead>
+      <tr>
+        <th>Dependency</th>
+        <th>Version</th>
+        <th>Scope</th>
+        <th>Vulnerabilities</th>
+      </tr>
+    </thead>
+    <tbody>
+      {% for dep in result.vulnerable_dependencies %}
+      <tr>
+        <td>
+          <a href="https://repo1.maven.org/maven2/{{ dep.group_id | replace('.', '/') }}/{{ dep.artifact_id }}/{{ dep.version }}/"
+             target="_blank" rel="noopener noreferrer">{{ dep.group_id }}:{{ dep.artifact_id }}</a>
+        </td>
+        <td>{{ dep.version }}</td>
+        <td>{{ dep.scope }}</td>
+        <td>
+          {% for vuln in dep.vulnerabilities %}
+          <details>
+            <summary>
+              <span class="vuln-cve">{{ vuln.cve_id }}</span>
+              <span class="badge badge-{{ vuln.severity | lower | replace('cvss', '') | replace(' ', '') | truncate(8, true, '') }}">
+                {{ vuln.severity }}
+              </span>
+            </summary>
+            <p>{{ vuln.summary }}</p>
+            {% if vuln.affected_versions %}
+            <p><strong>Affected versions:</strong> {{ vuln.affected_versions | join(', ') }}</p>
+            {% endif %}
+            {% if vuln.reference_url %}
+            <p><a href="{{ vuln.reference_url }}" target="_blank" rel="noopener noreferrer">
+              More info &rarr;
+            </a></p>
+            {% endif %}
+            <p><em>Source: {{ vuln.source }}</em></p>
+          </details>
+          {% endfor %}
+        </td>
+      </tr>
+      {% endfor %}
+    </tbody>
+  </table>
+  {% else %}
+  <p style="color: #27ae60; font-size: 1.1em;">&#x2714; No vulnerable dependencies found.</p>
+  {% endif %}
+</div><!-- #vuln-list-section -->
+
+<div class="footer">
+  Generated by Java Dependency Analyzer v1.0.0 &mdash; Ron Webb
+</div>
+
+<script>
+  const rows = Array.from(document.querySelectorAll('.dep-row'));
+  const notice = document.getElementById('filter-notice');
+  const noticeText = document.getElementById('filter-notice-text');
+  const treeControls = document.getElementById('tree-controls');
+
+  // ── Collapse state ──────────────────────────────────────────────────────────
+  const collapsedRows = new Set(); // indices of rows the user collapsed
+  let filterActive = false;
+
+  function getDepth(row) {
+    return parseInt(row.dataset.depth || '0', 10);
+  }
+
+  /** Return indices of all consecutive descendants of rows[i] (depth > rows[i].depth). */
+  function getDescendantIndices(i) {
+    const parentDepth = getDepth(rows[i]);
+    const indices = [];
+    for (let j = i + 1; j < rows.length; j++) {
+      if (getDepth(rows[j]) > parentDepth) {
+        indices.push(j);
+      } else {
+        break;
+      }
+    }
+    return indices;
+  }
+
+  /** Collapse rows[i]: hide all descendants, update toggle icon. */
+  function collapseRow(i) {
+    collapsedRows.add(i);
+    getDescendantIndices(i).forEach(j => {
+      rows[j].classList.add('collapsed-hidden');
+    });
+    const toggle = rows[i].querySelector('.collapse-toggle');
+    if (toggle) toggle.textContent = '▶';
+  }
+
+  /** Expand rows[i]: show direct children (but not children of sub-collapsed rows). */
+  function expandRow(i) {
+    collapsedRows.delete(i);
+    const parentDepth = getDepth(rows[i]);
+    for (let j = i + 1; j < rows.length; j++) {
+      const d = getDepth(rows[j]);
+      if (d <= parentDepth) break;
+      if (d === parentDepth + 1) {
+        // direct child — always visible
+        rows[j].classList.remove('collapsed-hidden');
+      } else {
+        // deeper descendant — only visible if its own parent-chain is not collapsed
+        const isInsideCollapsed = [...collapsedRows].some(ci => {
+          if (ci >= j) return false;
+          const desc = getDescendantIndices(ci);
+          return desc.includes(j);
+        });
+        if (isInsideCollapsed) {
+          rows[j].classList.add('collapsed-hidden');
+        } else {
+          rows[j].classList.remove('collapsed-hidden');
+        }
+      }
+    }
+    const toggle = rows[i].querySelector('.collapse-toggle');
+    if (toggle) toggle.textContent = '▼';
+  }
+
+  function toggleRow(i) {
+    if (collapsedRows.has(i)) {
+      expandRow(i);
+    } else {
+      collapseRow(i);
+    }
+  }
+
+  function collapseAll() {
+    rows.forEach((row, i) => {
+      if (row.dataset.hasChildren === 'true') collapseRow(i);
+    });
+  }
+
+  function expandAll() {
+    collapsedRows.clear();
+    rows.forEach(row => row.classList.remove('collapsed-hidden'));
+    rows.forEach(row => {
+      const toggle = row.querySelector('.collapse-toggle');
+      if (toggle) toggle.textContent = '▼';
+    });
+  }
+
+  /** Re-apply collapsed-hidden state (e.g. after filter reset). */
+  function renderCollapsedState() {
+    rows.forEach(row => row.classList.remove('collapsed-hidden'));
+    collapsedRows.forEach(i => {
+      getDescendantIndices(i).forEach(j => {
+        rows[j].classList.add('collapsed-hidden');
+      });
+      const toggle = rows[i].querySelector('.collapse-toggle');
+      if (toggle) toggle.textContent = '▶';
+    });
+  }
+
+  // ── Filter ──────────────────────────────────────────────────────────────────
+  const depTreeSection = document.getElementById('dep-tree-section');
+  const vulnListSection = document.getElementById('vuln-list-section');
+
+  function applyFilter(filterType, labelText) {
+    if (filterType === 'all') {
+      rows.forEach(row => row.classList.remove('hidden'));
+      filterActive = false;
+      depTreeSection.style.display = '';
+      vulnListSection.style.display = 'none';
+      treeControls.style.display = '';
+      notice.classList.remove('visible');
+      renderCollapsedState();
+    } else if (filterType === 'vuln-deps') {
+      // Show plain deduplicated vulnerable-deps list; hide the tree
+      depTreeSection.style.display = 'none';
+      vulnListSection.style.display = '';
+      filterActive = true;
+      noticeText.textContent = `Showing ${labelText}`;
+      notice.classList.add('visible');
+    } else {
+      // has-vulns: filter the tree rows in-place
+      depTreeSection.style.display = '';
+      vulnListSection.style.display = 'none';
+      rows.forEach(row => row.classList.remove('collapsed-hidden'));
+      rows.forEach(row => {
+        const vulnCount = parseInt(row.dataset.vulnCount || '0', 10);
+        if (vulnCount > 0) {
+          row.classList.remove('hidden');
+        } else {
+          row.classList.add('hidden');
+        }
+      });
+      filterActive = true;
+      treeControls.style.display = 'none';
+      const visible = rows.filter(r => !r.classList.contains('hidden')).length;
+      noticeText.textContent = `Showing ${visible} ${labelText}`;
+      notice.classList.add('visible');
+    }
+  }
+
+  function resetFilter() {
+    document.querySelectorAll('.card').forEach(c => c.classList.remove('active'));
+    document.querySelector('.card[data-filter="all"]').classList.add('active');
+    applyFilter('all', '');
+  }
+
+  document.querySelectorAll('.card[data-filter]').forEach(card => {
+    card.addEventListener('click', function () {
+      document.querySelectorAll('.card').forEach(c => c.classList.remove('active'));
+      this.classList.add('active');
+      const filter = this.dataset.filter;
+      const label = this.querySelector('.label').textContent;
+      applyFilter(filter, label.toLowerCase());
+    });
+  });
+
+  // ── Initialise collapse toggles ─────────────────────────────────────────────
+  rows.forEach((row, i) => {
+    const nextRow = rows[i + 1];
+    if (nextRow && getDepth(nextRow) > getDepth(row)) {
+      row.dataset.hasChildren = 'true';
+      const toggle = document.createElement('span');
+      toggle.className = 'collapse-toggle';
+      toggle.textContent = '▼';
+      toggle.addEventListener('click', e => { e.stopPropagation(); toggleRow(i); });
+      const depNameCell = row.querySelector('.dep-name');
+      depNameCell.insertBefore(toggle, depNameCell.firstChild);
+    }
+  });
+  // Default: all expanded (nothing in collapsedRows, no collapsed-hidden classes)
+</script>
+</body>
+</html>

java_dependency_analyzer/resolvers/__init__.py

@@ -0,0 +1,11 @@
+"""
+resolvers package.
+
+Provides transitive dependency resolution from Maven Central.
+
+:author: Ron Webb
+:since: 1.0.0
+"""
+
+__author__ = "Ron Webb"
+__since__ = "1.0.0"

java_dependency_analyzer/resolvers/transitive.py

@@ -0,0 +1,276 @@
+"""
+transitive module.
+
+Resolves transitive dependencies by fetching POMs from Maven Central.
+
+:author: Ron Webb
+:since: 1.0.0
+"""
+
+import re
+
+import httpx
+from lxml import etree
+
+from ..models.dependency import Dependency
+from ..parsers.base import RUNTIME_SCOPES
+from ..util.logger import setup_logger
+
+__author__ = "Ron Webb"
+__since__ = "1.0.0"
+
+_logger = setup_logger(__name__)
+
+_MAVEN_CENTRAL = "https://repo1.maven.org/maven2"
+_MAX_DEPTH = 5
+
+# Scopes that do NOT propagate transitively to the consumer
+_NON_TRANSITIVE_SCOPES = frozenset({"test", "provided", "system", "import"})
+
+
+class TransitiveResolver:
+    """
+    Resolves transitive dependencies by recursively fetching POM files from Maven Central.
+
+    Uses an in-memory cache to avoid redundant network requests for the same artifact.
+
+    :author: Ron Webb
+    :since: 1.0.0
+    """
+
+    def __init__(self, client: httpx.Client | None = None) -> None:
+        """
+        Initialise the resolver with an optional shared httpx client.
+
+        :author: Ron Webb
+        :since: 1.0.0
+        """
+        self._client = client or httpx.Client(timeout=30)
+        self._cache: dict[str, list[Dependency]] = {}
+
+    def resolve(
+        self,
+        dependency: Dependency,
+        depth: int = 0,
+        _visited: set[str] | None = None,
+    ) -> Dependency:
+        """
+        Recursively resolve transitive dependencies for the given dependency.
+
+        Modifies the dependency in-place by populating
+        ``dependency.transitive_dependencies`` and setting depth on children.
+
+        Uses a *visited* set to skip any coordinate that has already been
+        processed in the current resolution tree, preventing infinite loops
+        caused by circular dependency declarations.
+
+        :author: Ron Webb
+        :since: 1.0.0
+        """
+        if _visited is None:
+            _visited = set()
+
+        if depth >= _MAX_DEPTH:
+            _logger.debug("Max depth %d reached at %s", _MAX_DEPTH, dependency.coordinates)
+            return dependency
+
+        key = dependency.coordinates
+        if key in _visited:
+            _logger.debug("Already visited, skipping: %s", key)
+            return dependency
+        _visited.add(key)
+
+        if key in self._cache:
+            dependency.transitive_dependencies = [
+                Dependency(
+                    group_id=d.group_id,
+                    artifact_id=d.artifact_id,
+                    version=d.version,
+                    scope=d.scope,
+                    depth=depth + 1,
+                )
+                for d in self._cache[key]
+            ]
+            return dependency
+
+        pom_url = self._pom_url(dependency)
+        pom_content = self._fetch_pom(pom_url)
+        if pom_content is None:
+            return dependency
+
+        direct_children = self._parse_pom_dependencies(pom_content, dependency)
+        self._cache[key] = direct_children
+
+        for child in direct_children:
+            child.depth = depth + 1
+            self.resolve(child, depth + 1, _visited)
+
+        dependency.transitive_dependencies = direct_children
+        return dependency
+
+    def resolve_all(self, dependencies: list[Dependency]) -> list[Dependency]:
+        """
+        Resolve transitive dependencies for a list of direct dependencies.
+
+        A single visited set is shared across all top-level dependencies so
+        that any coordinate already resolved in a previous branch is not
+        fetched or recursed into again.
+
+        :author: Ron Webb
+        :since: 1.0.0
+        """
+        visited: set[str] = set()
+        for dep in dependencies:
+            self.resolve(dep, depth=0, _visited=visited)
+        return dependencies
+
+    def _pom_url(self, dep: Dependency) -> str:
+        """
+        Build the Maven Central POM URL for the given dependency.
+
+        :author: Ron Webb
+        :since: 1.0.0
+        """
+        return (
+            f"{_MAVEN_CENTRAL}/{dep.maven_path}"
+            f"/{dep.artifact_id}-{dep.version}.pom"
+        )
+
+    def _fetch_pom(self, url: str) -> bytes | None:
+        """
+        Fetch the POM file at the given URL; return raw bytes or None on failure.
+
+        :author: Ron Webb
+        :since: 1.0.0
+        """
+        try:
+            response = self._client.get(url)
+            if response.status_code == 200:
+                return response.content
+            _logger.debug("POM not found (HTTP %d): %s", response.status_code, url)
+        except httpx.RequestError as exc:
+            _logger.warning("Network error fetching POM %s: %s", url, exc)
+        return None
+
+    def _parse_pom_dependencies(
+        self, pom_content: bytes, parent: Dependency
+    ) -> list[Dependency]:
+        """
+        Parse a POM's <dependencies> section and return runtime-scoped children.
+
+        :author: Ron Webb
+        :since: 1.0.0
+        """
+        try:
+            root = etree.fromstring(pom_content)  # nosec B320  # pylint: disable=c-extension-no-member
+        except etree.XMLSyntaxError as exc:  # pylint: disable=c-extension-no-member
+            _logger.warning("Could not parse POM for %s: %s", parent.coordinates, exc)
+            return []
+
+        ns_map = {"m": "http://maven.apache.org/POM/4.0.0"}
+        ns_prefix = "m:" if root.tag.startswith("{") else ""
+
+        def find(node: etree._Element, tag: str) -> etree._Element | None:
+            return node.find(f"{ns_prefix}{tag}", ns_map) if ns_prefix else node.find(tag)
+
+        def text(node: etree._Element, tag: str) -> str:
+            child = find(node, tag)
+            return child.text.strip() if child is not None and child.text else ""
+
+        # Extract properties for version variable substitution
+        properties = self._extract_pom_properties(root, ns_prefix, ns_map)
+        # Add parent version as fallback
+        properties.setdefault("project.version", parent.version)
+        properties.setdefault("version", parent.version)
+
+        deps_container = find(root, "dependencies")
+        if deps_container is None:
+            return []
+
+        children: list[Dependency] = []
+        for dep_el in (
+            deps_container.findall(f"{ns_prefix}dependency", ns_map)
+            if ns_prefix
+            else deps_container.findall("dependency")
+        ):
+            child = self._parse_dep_el(dep_el, properties, text)
+            if child is not None:
+                children.append(child)
+
+        return children
+
+    def _extract_pom_properties(
+        self,
+        root: etree._Element,
+        ns_prefix: str,
+        ns_map: dict[str, str],
+    ) -> dict[str, str]:
+        """
+        Extract <properties> entries from a POM element.
+
+        :author: Ron Webb
+        :since: 1.0.0
+        """
+        props: dict[str, str] = {}
+        props_el = (
+            root.find("m:properties", ns_map)
+            if ns_prefix
+            else root.find("properties")
+        )
+        if props_el is not None:
+            for child in props_el:
+                if not isinstance(child.tag, str):  # skip comments and PIs
+                    continue
+                local = etree.QName(child.tag).localname  # pylint: disable=c-extension-no-member
+                if child.text:
+                    props[local] = child.text.strip()
+        return props
+
+    def _parse_dep_el(
+        self,
+        dep_el: etree._Element,
+        properties: dict[str, str],
+        text_fn,  # callable is fine; typing via Callable is imported from collections.abc
+    ) -> Dependency | None:
+        """
+        Parse a single dependency XML element into a Dependency, or return None to skip it.
+
+        :author: Ron Webb
+        :since: 1.0.0
+        """
+        group_id = self._resolve_property(text_fn(dep_el, "groupId"), properties)
+        artifact_id = self._resolve_property(text_fn(dep_el, "artifactId"), properties)
+        version = self._resolve_property(text_fn(dep_el, "version"), properties)
+        scope = text_fn(dep_el, "scope") or "compile"
+        optional_raw = text_fn(dep_el, "optional")
+        optional = optional_raw.lower() == "true"
+
+        if not group_id or not artifact_id or not version:
+            return None
+        if scope in _NON_TRANSITIVE_SCOPES:
+            return None
+        if optional:
+            return None
+        if scope not in RUNTIME_SCOPES:
+            return None
+
+        return Dependency(
+            group_id=group_id,
+            artifact_id=artifact_id,
+            version=version,
+            scope=scope,
+        )
+
+    def _resolve_property(self, value: str, properties: dict[str, str]) -> str:
+        """
+        Replace ${key} placeholders using the provided properties dictionary.
+
+        :author: Ron Webb
+        :since: 1.0.0
+        """
+        if not value or "${" not in value:
+            return value
+        for match in re.finditer(r"\$\{([^}]+)\}", value):
+            key = match.group(1)
+            value = value.replace(match.group(0), properties.get(key, ""))
+        return value