Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dependency-check-maven's yarnAuditAnalyzerEnabled doesn't work #6619

Closed
dutoitns opened this issue Apr 22, 2024 · 2 comments
Closed

dependency-check-maven's yarnAuditAnalyzerEnabled doesn't work #6619

dutoitns opened this issue Apr 22, 2024 · 2 comments
Assignees
@nhumblot
Labels
documentation site documentation question

Comments

@dutoitns
Copy link

Describe the bug
When I run the dependency-check-maven plugin one of my Maven modules suddenly seems to trigger something to do with Yarn and making the execution of the dependency-check-maven plugin fail. It fails with the following error:
IOException: Cannot run program "yarn": CreateProcess error=2, The system cannot find the file specified
I modified my Maven pom.xml file to configure "yarnAuditAnalyzerEnabled" to false, but it still seems to be looking for Yarn and failing. I'm not sure why this specific module is triggering this yarn-stuff... I looked for some hidden build artifacts in the module but couldn't find anything. I know one can also configure "pathToYarn" but I don't want to do that = I just want to disable something successfully so that I can continue...

Version of dependency-check used
9.1.0

Log file
gist: my maven build file for that module
gist: error on executing the maven build

To Reproduce
Steps to reproduce the behavior:

  1. Execute mvn org.owasp:dependency-check-maven:check in that module or in the root of the project.

Expected behavior
I expect the depency-check-maven plugin to execute successfully and to not try and execute anything using Yarn when I've configured "yarnAuditAnalyzerEnabled" to false.

Additional context
N/A
@dutoitns dutoitns added the bug label Apr 22, 2024
@nhumblot
Copy link
Collaborator

nhumblot commented Apr 25, 2024
edited

Hi!

Thank you for raising this issue you are facing. Based on the pom.xml provided, displaying the parent pom, and without the sub-modules POMs, I suspect you do not have any specific configuration declared in your sub-module POMs.

If you look at your POM, you specified a 9.1.0 OWASP DependencyCheck version:

  <reporting>
    <plugins>
      <plugin>
        <groupId>org.owasp</groupId>
        <artifactId>dependency-check-maven</artifactId>
        <version>9.1.0</version>
        <configuration>
          <yarnAuditAnalyzerEnabled>false</yarnAuditAnalyzerEnabled>
        </configuration>
        <reportSets>
          <reportSet>
            <reports>
              <report>aggregate</report>
            </reports>
          </reportSet>
        </reportSets>
      </plugin>
    </plugins>
  </reporting>

But if you look at your logs, this is the 8.2.1 version which is fetched.

mvn org.owasp:dependency-check-maven:check
[INFO] Scanning for projects...
[INFO]
[INFO] ----------------< za.co.ndutoit:test-simple-cdk-stack >-----------------
[INFO] Building test-simple-cdk-stack 1.0.0
[INFO]   from pom.xml
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- dependency-check:8.2.1:check (default-cli) @ test-simple-cdk-stack ---

This is because when executing your Maven command : mvn org.owasp:dependency-check-maven:check, you are not picking a plugin, and its configuration, declared in the reporting section but one declared in the build section.

I would suggest you to come with the following declaration in your parent-pom:

  <build>
    <pluginManagement>
      <plugins>
        <!-- -->
        <plugin>
          <groupId>org.owasp</groupId>
          <artifactId>dependency-check-maven</artifactId>
          <version>9.1.0</version>
          <configuration>
            <yarnAuditAnalyzerEnabled>false</yarnAuditAnalyzerEnabled>
          </configuration>
        </plugin>
      </plugins>
    </pluginManagement>
  </build>

  <reporting>
    <plugins>
      <plugin>
        <groupId>org.owasp</groupId>
        <artifactId>dependency-check-maven</artifactId>
        <reportSets>
          <reportSet>
            <reports>
              <report>aggregate</report>
            </reports>
          </reportSet>
        </reportSets>
      </plugin>
    </plugins>
  </reporting>

This way, when executing the mvn org.owasp:dependency-check-maven:check command, all your POMs will pick the configuration declared into the <pluginManagement> section and should get the configuration to not execute the Yarn Analyzer.

More information: Using the <reporting> Tag VS <build> Tag

mvn aplugin:areportgoal
It ignores the parameters defined in the element of each reporting Plugin specified in the element; only parameters defined in the element of each plugin specified in are used.

Could you tell me if you see any improvement by doing this?

@nhumblot nhumblot self-assigned this Apr 25, 2024
@nhumblot nhumblot added question documentation site documentation and removed bug labels Apr 25, 2024
@dutoitns
Copy link
Author

Thank you - that was the issue. After making the changes you recommended everything worked 😀

I was looking at the second example in the documentation here and didn't realize that I still needed to define the build plugin (it just shows the reporting plugin section)

Thank you for your help - much appreciated 🙏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nhumblot nhumblot

Labels
documentation site documentation question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nhumblot @dutoitns