feat: Scan Maven Plugins by jeremylong · Pull Request #5001 · dependency-check/DependencyCheck

jeremylong · 2022-10-29T11:36:09Z

Fixes Issue #4035

Adds the ability to scan the plugins of a Maven project (via the org.owasp:dependency-check-maven plugin - not the CLI).

Introduced includedBy to the HTML, XML, and JSON reports when scanning with the Maven Plugin. includedBy is the root of the dependency tree (i.e. if a transitive dependency is scanned, the includedBy will be a direct dependency). Note that when using the maven plugin includedBy will be added even when plugins are not scanned.

jeremylong · 2022-10-31T09:47:45Z

@mprins thanks for the suggestion!

aikebah

Reviews that should be addressed before merge in my view are :
https://github.com/jeremylong/DependencyCheck/pull/5001/files/fdc8896ec749c8f865e47ed529e58affa9bc7e0d#r1020950469

and
https://github.com/jeremylong/DependencyCheck/pull/5001/files/fdc8896ec749c8f865e47ed529e58affa9bc7e0d#r1020965735

…encyCheckMojo.java Co-authored-by: Mark Prins <[email protected]>

…encyCheckMojo.java Co-authored-by: Hans Aikema <[email protected]>

jeremylong · 2023-01-09T12:46:09Z

@aikebah I think I'm good with the 8.0.0 PRs now. Planning on spending this week integrating the 8.0.0 PRs and testing so we can finally get these released. Please let me know if you see any additional issues/concerns.

aikebah

See review, think we should stay on the safe side with internal Maven vars.... with that integrated all looks good to me

…encyCheckMojo.java Co-authored-by: Hans Aikema <[email protected]>

aikebah · 2023-01-10T22:38:28Z

@jeremylong I'll leave the merge-sequence decision up to you.... my gut feel would be first the Known exploited and then the maven plugin would be the easiest to resolve any emerging merge conflicts

pitprok · 2023-01-23T23:19:23Z

Based on this dependency-check-sonar-plugin#748 includedBy broke the parsing of the reports.

[INFO] 17:06:11.358 Using JSON-Reportparser
[WARNING] 17:06:11.651 JSON-Analysis aborted
[DEBUG] 17:06:11.653 Problem with JSON-Report-Mapping
org.sonar.dependencycheck.parser.ReportParserException: Problem with JSON-Report-Mapping
	at org.sonar.dependencycheck.parser.JsonReportParserHelper.parse(JsonReportParserHelper.java:44)
	at org.sonar.dependencycheck.DependencyCheckSensor.parseAnalysis(DependencyCheckSensor.java:71)
	at org.sonar.dependencycheck.DependencyCheckSensor.execute(DependencyCheckSensor.java:150)
	at org.sonar.scanner.sensor.AbstractSensorWrapper.analyse(AbstractSensorWrapper.java:48)
	at org.sonar.scanner.sensor.ProjectSensorsExecutor.execute(ProjectSensorsExecutor.java:49)
	at org.sonar.scanner.scan.ProjectScanContainer.doAfterStart(ProjectScanContainer.java:360)
	at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:137)
	at org.sonar.core.platform.ComponentContainer.execute(ComponentContainer.java:123)
	at org.sonar.scanner.bootstrap.GlobalContainer.doAfterStart(GlobalContainer.java:150)
	at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:137)
	at org.sonar.core.platform.ComponentContainer.execute(ComponentContainer.java:123)
	at org.sonar.batch.bootstrapper.Batch.doExecute(Batch.java:72)
	at org.sonar.batch.bootstrapper.Batch.execute(Batch.java:66)
	at org.sonarsource.scanner.api.internal.batch.BatchIsolatedLauncher.execute(BatchIsolatedLauncher.java:46)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.lang.reflect.Method.invoke(Unknown Source)
	at org.sonarsource.scanner.api.internal.IsolatedLauncherProxy.invoke(IsolatedLauncherProxy.java:60)
	at com.sun.proxy.$Proxy45.execute(Unknown Source)
	at org.sonarsource.scanner.api.EmbeddedScanner.doExecute(EmbeddedScanner.java:189)
	at org.sonarsource.scanner.api.EmbeddedScanner.execute(EmbeddedScanner.java:138)
	at org.sonarsource.scanner.maven.bootstrap.ScannerBootstrapper.execute(ScannerBootstrapper.java:65)
	at org.sonarsource.scanner.maven.SonarQubeMojo.execute(SonarQubeMojo.java:108)
	at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:137)
	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:210)
	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:156)
	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:148)
	at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:117)
	at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:81)
	at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:56)
	at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:128)
	at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:305)
	at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:192)
	at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:105)
	at org.apache.maven.cli.MavenCli.execute(MavenCli.java:957)
	at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:289)
	at org.apache.maven.cli.MavenCli.main(MavenCli.java:193)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.lang.reflect.Method.invoke(Unknown Source)
	at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:282)
	at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:225)
	at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:406)
	at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:347)
Caused by: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "includedBy" (class org.sonar.dependencycheck.parser.element.Dependency), not marked as ignorable (9 known properties: "filePath", "evidenceCollected", "sha1", "fileName", "vulnerabilities", "vulnerabilityIds", "packages", "md5", "identifiers"])
 at [Source: (sun.nio.ch.ChannelInputStream); line: 1, column: 6225] (through reference chain: org.sonar.dependencycheck.parser.element.Analysis["dependencies"]->java.util.ArrayList[0]->org.sonar.dependencycheck.parser.element.Dependency["includedBy"])
	at com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException.from(UnrecognizedPropertyException.java:61)
	at com.fasterxml.jackson.databind.DeserializationContext.handleUnknownProperty(DeserializationContext.java:855)
	at com.fasterxml.jackson.databind.deser.std.StdDeserializer.handleUnknownProperty(StdDeserializer.java:1212)
	at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.handleUnknownProperty(BeanDeserializerBase.java:1604)
	at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.handleUnknownProperties(BeanDeserializerBase.java:1554)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeUsingPropertyBased(BeanDeserializer.java:511)
	at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.deserializeFromObjectUsingNonDefault(BeanDeserializerBase.java:1322)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserializeFromObject(BeanDeserializer.java:331)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:164)
	at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:290)
	at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:249)
	at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:26)
	at com.fasterxml.jackson.databind.deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:542)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeWithErrorWrapping(BeanDeserializer.java:535)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeUsingPropertyBased(BeanDeserializer.java:419)
	at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.deserializeFromObjectUsingNonDefault(BeanDeserializerBase.java:1322)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserializeFromObject(BeanDeserializer.java:331)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:164)
	at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4526)
	at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3505)
	at org.sonar.dependencycheck.parser.JsonReportParserHelper.parse(JsonReportParserHelper.java:40)
	... 45 common frames omitted

Is there a way to disable that field or do we have to wait for it to be fixed?

boring-cyborg Bot added core changes to core maven changes to the maven plugin tests test cases labels Oct 29, 2022

jeremylong requested a review from aikebah October 29, 2022 11:36

jeremylong added this to the 8.0.0 milestone Oct 29, 2022

mprins suggested changes Oct 29, 2022

View reviewed changes

Comment thread maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java Outdated

jeremylong mentioned this pull request Oct 30, 2022

Scan build environment (plugins) dependency-check/dependency-check-gradle#283

Closed

boring-cyborg Bot added the documentation site documentation label Oct 31, 2022

jeremylong force-pushed the plugins branch from 0295550 to 92847c0 Compare November 5, 2022 09:23

aikebah reviewed Nov 13, 2022

View reviewed changes

Comment thread core/src/main/resources/schema/dependency-check.2.5.xsd

aikebah reviewed Nov 13, 2022

View reviewed changes

jeremylong changed the title ~~Scan Maven Plugins~~ feat: Scan Maven Plugins Nov 19, 2022

aikebah requested changes Dec 3, 2022

View reviewed changes

jeremylong and others added 13 commits January 1, 2023 03:57

feat: add mojo to scan plugins, resolves #4035

03b844b

fix: add all included by during merge

c6ada0a

feat: add includedBy to reports

61a68b1

style: make checkstyle happier

769c93c

Update maven/src/main/java/org/owasp/dependencycheck/maven/BaseDepend…

b110e4c

…encyCheckMojo.java Co-authored-by: Mark Prins <[email protected]>

doc: document new config option

3b4196b

style: checkstyle suggestion

ce27552

style: checkstyle

76e66d5

feat: enable users to only scan plugins

2284f58

Update maven/src/main/java/org/owasp/dependencycheck/maven/BaseDepend…

ac4cfbd

…encyCheckMojo.java Co-authored-by: Hans Aikema <[email protected]>

Update maven/src/main/java/org/owasp/dependencycheck/maven/BaseDepend…

1b4059d

…encyCheckMojo.java Co-authored-by: Hans Aikema <[email protected]>

Update maven/src/main/java/org/owasp/dependencycheck/maven/BaseDepend…

d191a6c

…encyCheckMojo.java Co-authored-by: Hans Aikema <[email protected]>

fix: Update core/src/main/resources/schema/dependency-check.2.5.xsd

a77c65f

jeremylong force-pushed the plugins branch from 8fe0cc2 to a77c65f Compare January 1, 2023 11:57

build: bump major version

8e80f35

boring-cyborg Bot added ant changes to ant cli changes to the cli utils changes to utils labels Jan 7, 2023

jeremylong added 7 commits January 8, 2023 04:10

Merge branch 'main' into plugins

b6b5500

fix: add type to includedBy

b331b72

fix: add type to includedBy

f4a9d69

fix: add new to type to avoid confusing use of Pair

a6010aa

fix: update includedBy to use package url

fb7d729

Merge branch 'main' into plugins

980c541

style: make checkstyle happier

7b95191

jeremylong requested a review from aikebah January 9, 2023 12:44

jeremylong added 3 commits January 9, 2023 07:59

style: make checkstyle happier

0f86234

style: make checkstyle happier

402b37f

doc: update gradle site to document scanning the buildEnv

db69310

aikebah requested changes Jan 10, 2023

View reviewed changes

Comment thread maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java Outdated

Update maven/src/main/java/org/owasp/dependencycheck/maven/BaseDepend…

7adf45e

…encyCheckMojo.java Co-authored-by: Hans Aikema <[email protected]>

jeremylong requested a review from aikebah January 10, 2023 22:36

aikebah approved these changes Jan 10, 2023

View reviewed changes

Merge branch 'main' into plugins

1924a8d

jeremylong merged commit da733c4 into main Jan 11, 2023

jeremylong deleted the plugins branch February 27, 2023 13:38

Marcono1234 mentioned this pull request Jul 12, 2023

Respect <skipProvidedScope> for <scanPlugins> #5825

Open

github-actions Bot locked as resolved and limited conversation to collaborators Dec 15, 2024

Conversation

jeremylong commented Oct 29, 2022

Fixes Issue #4035

Uh oh!

Uh oh!

jeremylong commented Oct 31, 2022

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

aikebah left a comment

Choose a reason for hiding this comment

Uh oh!

jeremylong commented Jan 9, 2023

Uh oh!

aikebah left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

aikebah commented Jan 10, 2023

Uh oh!

pitprok commented Jan 23, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

pitprok commented Jan 23, 2023 •

edited

Loading