In implementing the dependency-check-maven plugin for some of our projects we have found an occasion where it's possible that a false negative can occur with the maven plugin.
ie: the maven plugin misses a dependency that is picked up when pushing the jar file generated by the build through the command line.
In this case we have the following test dependancy
<dependency>
<groupId>com.fasterxml.jackson.jaxrs</groupId>
<artifactId>jackson-jaxrs-json-provider</artifactId>
<version>2.5.3</version>
<scope>test</scope>
</dependency>Which is a vulnerable library, however since it is included as a test dependency it is ignored.
However we also have the following dependencies which are compiled
<!-- metrics -->
<dependency>
<groupId>io.dropwizard.metrics</groupId>
<artifactId>metrics-core</artifactId>
<version>3.1.2</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>io.dropwizard.metrics</groupId>
<artifactId>metrics-servlets</artifactId>
<version>3.1.2</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>io.dropwizard.metrics</groupId>
<artifactId>metrics-graphite</artifactId>
<version>3.1.2</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>this version of dropwizard includes the vulnerable 2.5.3 version of jackson
mvn dependency:tree -Dscope=compile -Dverbose=true
[INFO] +- io.dropwizard.metrics:metrics-servlets:jar:3.1.2:compile
[INFO] | +- (io.dropwizard.metrics:metrics-core:jar:3.1.2:compile - omitted for duplicate)
[INFO] | +- io.dropwizard.metrics:metrics-healthchecks:jar:3.1.2:compile
[INFO] | +- io.dropwizard.metrics:metrics-json:jar:3.1.2:compile
[INFO] | | +- (io.dropwizard.metrics:metrics-core:jar:3.1.2:compile - omitted for duplicate)
[INFO] | | \- (com.fasterxml.jackson.core:jackson-databind:jar:2.5.3:compile - omitted for conflict with 2.4.2)
[INFO] | +- io.dropwizard.metrics:metrics-jvm:jar:3.1.2:compile
[INFO] | | \- (io.dropwizard.metrics:metrics-core:jar:3.1.2:compile - omitted for duplicate)
[INFO] | \- com.fasterxml.jackson.core:jackson-databind:jar:2.4.2:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.4.0:compile
[INFO] | \- com.fasterxml.jackson.core:jackson-core:jar:2.4.2:compile
[INFO] \- io.dropwizard.metrics:metrics-graphite:jar:3.1.2:compile
[INFO] \- (io.dropwizard.metrics:metrics-core:jar:3.1.2:compile - omitted for duplicate)
It appears that the maven plugin is ignoring the jackson included through dropwizard because it also matches a test dependency.
Setting skipTestScope false sort-of works around this, but also introduces other failures which actually come from test dependancies.
In implementing the dependency-check-maven plugin for some of our projects we have found an occasion where it's possible that a false negative can occur with the maven plugin.
ie: the maven plugin misses a dependency that is picked up when pushing the jar file generated by the build through the command line.
In this case we have the following test dependancy
Which is a vulnerable library, however since it is included as a test dependency it is ignored.
However we also have the following dependencies which are compiled
this version of dropwizard includes the vulnerable 2.5.3 version of jackson
It appears that the maven plugin is ignoring the jackson included through dropwizard because it also matches a test dependency.
Setting skipTestScope false sort-of works around this, but also introduces other failures which actually come from test dependancies.