[java:maven] Dependency versions defined through a property are not respected by if the property starts with 'project.'

[ingogriebsch]

It looks like Dependabot is not checking dependencies if the version of the dependency is defined through a property AND the property starts with 'project'.

This is working:

<properties>
	<guava.version>28.1-jre</guava.version>
</properties>

<dependencies>
        <dependency>
            <groupId>com.google.guava</groupId>
            <artifactId>guava</artifactId>
            <version>${guava.version}</version>
        </dependency>
</dependencies>

This is not working:

<properties>
	<project.guava.version>28.1-jre</guava.version>
</properties>

<dependencies>
        <dependency>
            <groupId>com.google.guava</groupId>
            <artifactId>guava</artifactId>
            <version>${project.guava.version}</version>
        </dependency>
</dependencies>

We created a repository explaining the issue in more detail. There you can have a look at the specific commits and the corresponding outputs of the Dependabot check. You can have a look at it here:
https://github.com/gbtec-ag/dependabot-version-property-issue

A follow up problem is that Dependabot closes the corresponding PR (if one was created) but never opens the PR again after the property is corrected. Means one needs to reopen the PRs by hand (if available).

[jeffwidman]

👋 Hey there! Sorry for the glacially slow response... we've been a bit buried the past few years, and only just now starting to dig through some of our backlog.

This issue is pretty old, and we've pushed a lot of bugfixes since then... is this still a valid issue?

[jeffwidman]

Keeping open despite lack of user response because this one has a public repo so should be easy to check if reproducible or not.