diff --git a/maven/src/it/1551-verify-dependency-management/invoker.properties b/maven/src/it/1551-verify-dependency-management/invoker.properties
new file mode 100644
index 00000000000..d0293944b8a
--- /dev/null
+++ b/maven/src/it/1551-verify-dependency-management/invoker.properties
@@ -0,0 +1,19 @@
+#
+# This file is part of dependency-check-maven.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+#
+
+invoker.goals = install -Danalyzer.central.enabled=false ${project.groupId}:${project.artifactId}:${project.version}:check -Dformat=ALL -DskipDependencyManagement=false
diff --git a/maven/src/it/1551-verify-dependency-management/pom.xml b/maven/src/it/1551-verify-dependency-management/pom.xml
new file mode 100644
index 00000000000..6e5976a1774
--- /dev/null
+++ b/maven/src/it/1551-verify-dependency-management/pom.xml
@@ -0,0 +1,34 @@
+
+
+
+ 4.0.0
+ org.owasp.test
+ verify-dependency-management
+ 1.0.0-SNAPSHOT
+ pom
+
+
+
+ com.fasterxml.jackson.dataformat
+ jackson-dataformat-xml
+ 2.6.3
+
+
+
+
diff --git a/maven/src/it/1551-verify-dependency-management/postbuild.groovy b/maven/src/it/1551-verify-dependency-management/postbuild.groovy
new file mode 100644
index 00000000000..385af940151
--- /dev/null
+++ b/maven/src/it/1551-verify-dependency-management/postbuild.groovy
@@ -0,0 +1,32 @@
+/*
+ * This file is part of dependency-check-maven.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+
+import org.apache.commons.io.FileUtils;
+import org.apache.commons.lang.StringUtils;
+import java.nio.charset.Charset;
+
+
+// Check to see if jackson-dataformat-xml-2.4.5.jar was identified.
+//TODO change this to xpath and check for CVE-2016-3720
+String log = FileUtils.readFileToString(new File(basedir, "target/dependency-check-report.xml"), Charset.defaultCharset().name());
+int count = StringUtils.countMatches(log, "CVE-2017-15095");
+if (count == 0){
+ System.out.println(String.format("jackson-dataformat-xml was not identified", count));
+ return false;
+}
+return true;
diff --git a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
index c8712fa488e..d18289e1d8e 100644
--- a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
+++ b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
@@ -36,12 +36,14 @@
import org.apache.maven.settings.Proxy;
import org.apache.maven.settings.Server;
import org.apache.maven.shared.transfer.artifact.ArtifactCoordinate;
+import org.apache.maven.shared.transfer.artifact.DefaultArtifactCoordinate;
import org.apache.maven.shared.transfer.artifact.TransferUtils;
import org.apache.maven.shared.transfer.artifact.resolve.ArtifactResolver;
import org.apache.maven.shared.transfer.artifact.resolve.ArtifactResolverException;
import org.apache.maven.shared.dependency.graph.DependencyGraphBuilder;
import org.apache.maven.shared.dependency.graph.DependencyGraphBuilderException;
import org.apache.maven.shared.dependency.graph.DependencyNode;
+import org.apache.maven.shared.dependency.graph.internal.DefaultDependencyNode;
import org.apache.maven.shared.model.fileset.FileSet;
import org.apache.maven.shared.model.fileset.util.FileSetManager;
import org.owasp.dependencycheck.Engine;
@@ -562,6 +564,13 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
@Parameter(property = "skipSystemScope", defaultValue = "false", required = false)
private boolean skipSystemScope = false;
+ /**
+ * Skip Analysis for dependencyManagement section.
+ */
+ @SuppressWarnings("CanBeFinal")
+ @Parameter(property = "skipDependencyManagement", defaultValue = "true", required = false)
+ private boolean skipDependencyManagement = true;
+
/**
* Skip analysis for dependencies which type matches this regular
* expression.
@@ -891,6 +900,48 @@ protected ExceptionCollection scanArtifacts(MavenProject project, Engine engine,
}
}
+ private DependencyNode toDependencyNode(ProjectBuildingRequest buildingRequest, DependencyNode parent, org.apache.maven.model.Dependency dependency)
+ throws ArtifactResolverException {
+
+ DefaultArtifactCoordinate coordinate = new DefaultArtifactCoordinate();
+
+ coordinate.setGroupId(dependency.getGroupId());
+ coordinate.setArtifactId(dependency.getArtifactId());
+ coordinate.setVersion(dependency.getVersion());
+ coordinate.setExtension(dependency.getType());
+ coordinate.setClassifier(dependency.getClassifier());
+
+ Artifact artifact = artifactResolver.resolveArtifact(buildingRequest, coordinate).getArtifact();
+
+ artifact.setScope(dependency.getScope());
+
+ DefaultDependencyNode node = new DefaultDependencyNode(parent, artifact, dependency.getVersion(), dependency.getScope(), null);
+
+ return node;
+
+ }
+
+ private ExceptionCollection collectDependencyManagementDependencies(ProjectBuildingRequest buildingRequest, MavenProject project,
+ List nodes, boolean aggregate) {
+ if (skipDependencyManagement || project.getDependencyManagement() == null) {
+ return null;
+ }
+
+ ExceptionCollection exCol = null;
+ for (org.apache.maven.model.Dependency dependency : project.getDependencyManagement().getDependencies()) {
+ try {
+ nodes.add(toDependencyNode(buildingRequest, null, dependency));
+ } catch (ArtifactResolverException ex) {
+ getLog().debug(String.format("Aggregate : %s", aggregate));
+ if (exCol == null) {
+ exCol = new ExceptionCollection();
+ }
+ exCol.addException(ex);
+ }
+ }
+ return exCol;
+ }
+
/**
* Resolves the projects artifacts using Aether and scans the resulting
* dependencies.
@@ -906,7 +957,7 @@ protected ExceptionCollection scanArtifacts(MavenProject project, Engine engine,
*/
private ExceptionCollection collectMavenDependencies(Engine engine, MavenProject project,
List nodes, ProjectBuildingRequest buildingRequest, boolean aggregate) {
- ExceptionCollection exCol = null;
+ ExceptionCollection exCol = collectDependencyManagementDependencies(buildingRequest, project, nodes, aggregate);
for (DependencyNode dependencyNode : nodes) {
if (artifactScopeExcluded.passes(dependencyNode.getArtifact().getScope())
|| artifactTypeExcluded.passes(dependencyNode.getArtifact().getType())) {
diff --git a/maven/src/site/markdown/configuration.md b/maven/src/site/markdown/configuration.md
index a5496ed0656..ba846c62906 100644
--- a/maven/src/site/markdown/configuration.md
+++ b/maven/src/site/markdown/configuration.md
@@ -28,6 +28,7 @@ skipProvidedScope | Skip analysis for artifacts with Provided Scope.
skipRuntimeScope | Skip analysis for artifacts with Runtime Scope. | false
skipSystemScope | Skip analysis for artifacts with System Scope. | false
skipTestScope | Skip analysis for artifacts with Test Scope. | true
+skipDependencyManagement | Skip analysis for dependencyManagement sections. | true
skipArtifactType | A regular expression used to filter/skip artifact types. |
suppressionFiles | The file paths to the XML suppression files \- used to suppress [false positives](../general/suppression.html). |
hintsFile | The file path to the XML hints file \- used to resolve [false negatives](../general/hints.html). |
@@ -129,4 +130,3 @@ are configured in the Maven settings file you must tell dependency-check which p
Property | Description | Default Value
---------------------|--------------------------------------------------------------------------------------|------------------
mavenSettingsProxyId | The id for the proxy, configured via settings.xml, that dependency-check should use. |
-