From d77a6dbe1c98a1b5a732901781ecd5ca0788f2c4 Mon Sep 17 00:00:00 2001 From: Guido Schreuder Date: Tue, 6 Nov 2018 19:16:02 +0100 Subject: [PATCH 1/5] add option to verify section in POM --- .../maven/BaseDependencyCheckMojo.java | 62 ++++++++++++++++++- 1 file changed, 61 insertions(+), 1 deletion(-) diff --git a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java index c8712fa488e..e25c7ad2053 100644 --- a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java +++ b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java @@ -36,12 +36,14 @@ import org.apache.maven.settings.Proxy; import org.apache.maven.settings.Server; import org.apache.maven.shared.transfer.artifact.ArtifactCoordinate; +import org.apache.maven.shared.transfer.artifact.DefaultArtifactCoordinate; import org.apache.maven.shared.transfer.artifact.TransferUtils; import org.apache.maven.shared.transfer.artifact.resolve.ArtifactResolver; import org.apache.maven.shared.transfer.artifact.resolve.ArtifactResolverException; import org.apache.maven.shared.dependency.graph.DependencyGraphBuilder; import org.apache.maven.shared.dependency.graph.DependencyGraphBuilderException; import org.apache.maven.shared.dependency.graph.DependencyNode; +import org.apache.maven.shared.dependency.graph.internal.DefaultDependencyNode; import org.apache.maven.shared.model.fileset.FileSet; import org.apache.maven.shared.model.fileset.util.FileSetManager; import org.owasp.dependencycheck.Engine; @@ -562,6 +564,13 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma @Parameter(property = "skipSystemScope", defaultValue = "false", required = false) private boolean skipSystemScope = false; + /** + * Skip Analysis for System Scope Dependencies. + */ + @SuppressWarnings("CanBeFinal") + @Parameter(property = "skipDependencyManagement", defaultValue = "true", required = false) + private boolean skipDependencyManagement = true; + /** * Skip analysis for dependencies which type matches this regular * expression. @@ -779,6 +788,15 @@ protected boolean isFailOnError() { return failOnError; } + /** + * Returns if the mojo should skip dependencyManagement section. + * + * @return whether or not the mojo should skip dependencyManagement section + */ + public boolean isSkipDependencyManagement() { + return skipDependencyManagement; + } + /** * Generates the Dependency-Check Site Report. * @@ -891,6 +909,48 @@ protected ExceptionCollection scanArtifacts(MavenProject project, Engine engine, } } + private DependencyNode toDependencyNode(ProjectBuildingRequest buildingRequest, DependencyNode parent, org.apache.maven.model.Dependency dependency) + throws ArtifactResolverException { + + DefaultArtifactCoordinate coordinate = new DefaultArtifactCoordinate(); + + coordinate.setGroupId(dependency.getGroupId()); + coordinate.setArtifactId(dependency.getArtifactId()); + coordinate.setVersion(dependency.getVersion()); + coordinate.setExtension(dependency.getType()); + coordinate.setClassifier(dependency.getClassifier()); + + Artifact artifact = artifactResolver.resolveArtifact(buildingRequest, coordinate).getArtifact(); + + artifact.setScope(dependency.getScope()); + + DefaultDependencyNode node = new DefaultDependencyNode(parent, artifact, dependency.getVersion(), dependency.getScope(), null); + + return node; + + } + + private ExceptionCollection collectDependencyManagementDependencies(ProjectBuildingRequest buildingRequest, MavenProject project, + List nodes, boolean aggregate) { + if (skipDependencyManagement || project.getDependencyManagement() == null) { + return null; + } + + ExceptionCollection exCol = null; + for (org.apache.maven.model.Dependency dependency : project.getDependencyManagement().getDependencies()) { + try { + nodes.add(toDependencyNode(buildingRequest, null, dependency)); + } catch (ArtifactResolverException ex) { + getLog().debug(String.format("Aggregate : %s", aggregate)); + if (exCol == null) { + exCol = new ExceptionCollection(); + } + exCol.addException(ex); + } + } + return exCol; + } + /** * Resolves the projects artifacts using Aether and scans the resulting * dependencies. @@ -906,7 +966,7 @@ protected ExceptionCollection scanArtifacts(MavenProject project, Engine engine, */ private ExceptionCollection collectMavenDependencies(Engine engine, MavenProject project, List nodes, ProjectBuildingRequest buildingRequest, boolean aggregate) { - ExceptionCollection exCol = null; + ExceptionCollection exCol = collectDependencyManagementDependencies(buildingRequest, project, nodes, aggregate); for (DependencyNode dependencyNode : nodes) { if (artifactScopeExcluded.passes(dependencyNode.getArtifact().getScope()) || artifactTypeExcluded.passes(dependencyNode.getArtifact().getType())) { From bda21e586114e86a7b2345b454b52579c5a60cc3 Mon Sep 17 00:00:00 2001 From: Guido Schreuder Date: Tue, 6 Nov 2018 19:36:56 +0100 Subject: [PATCH 2/5] Fix javadoc --- .../owasp/dependencycheck/maven/BaseDependencyCheckMojo.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java index e25c7ad2053..f1039559641 100644 --- a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java +++ b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java @@ -565,7 +565,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma private boolean skipSystemScope = false; /** - * Skip Analysis for System Scope Dependencies. + * Skip Analysis for dependencyManagement section. */ @SuppressWarnings("CanBeFinal") @Parameter(property = "skipDependencyManagement", defaultValue = "true", required = false) From 12d3ea7ed3e015282d91a489dafed29755ab4dcf Mon Sep 17 00:00:00 2001 From: Guido Schreuder Date: Tue, 6 Nov 2018 19:38:30 +0100 Subject: [PATCH 3/5] remove unused getter --- .../dependencycheck/maven/BaseDependencyCheckMojo.java | 9 --------- 1 file changed, 9 deletions(-) diff --git a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java index f1039559641..d18289e1d8e 100644 --- a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java +++ b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java @@ -788,15 +788,6 @@ protected boolean isFailOnError() { return failOnError; } - /** - * Returns if the mojo should skip dependencyManagement section. - * - * @return whether or not the mojo should skip dependencyManagement section - */ - public boolean isSkipDependencyManagement() { - return skipDependencyManagement; - } - /** * Generates the Dependency-Check Site Report. * From 1361b591af32b5427bc40dc4fcebddc414e14cd8 Mon Sep 17 00:00:00 2001 From: Guido Schreuder Date: Tue, 6 Nov 2018 20:21:40 +0100 Subject: [PATCH 4/5] Add documentation for 'skipDependencyManagement' --- maven/src/site/markdown/configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/maven/src/site/markdown/configuration.md b/maven/src/site/markdown/configuration.md index a5496ed0656..ba846c62906 100644 --- a/maven/src/site/markdown/configuration.md +++ b/maven/src/site/markdown/configuration.md @@ -28,6 +28,7 @@ skipProvidedScope | Skip analysis for artifacts with Provided Scope. skipRuntimeScope | Skip analysis for artifacts with Runtime Scope. | false skipSystemScope | Skip analysis for artifacts with System Scope. | false skipTestScope | Skip analysis for artifacts with Test Scope. | true +skipDependencyManagement | Skip analysis for dependencyManagement sections. | true skipArtifactType | A regular expression used to filter/skip artifact types. |   suppressionFiles | The file paths to the XML suppression files \- used to suppress [false positives](../general/suppression.html). |   hintsFile | The file path to the XML hints file \- used to resolve [false negatives](../general/hints.html). |   @@ -129,4 +130,3 @@ are configured in the Maven settings file you must tell dependency-check which p Property | Description | Default Value ---------------------|--------------------------------------------------------------------------------------|------------------ mavenSettingsProxyId | The id for the proxy, configured via settings.xml, that dependency-check should use. |   - From f68992b767cae73b1a0ab50c7e9bf2602a4a98a6 Mon Sep 17 00:00:00 2001 From: Guido Schreuder Date: Wed, 7 Nov 2018 09:24:07 +0100 Subject: [PATCH 5/5] Added it-test for checking dependencyManagement section --- .../invoker.properties | 19 +++++++++++ .../1551-verify-dependency-management/pom.xml | 34 +++++++++++++++++++ .../postbuild.groovy | 32 +++++++++++++++++ 3 files changed, 85 insertions(+) create mode 100644 maven/src/it/1551-verify-dependency-management/invoker.properties create mode 100644 maven/src/it/1551-verify-dependency-management/pom.xml create mode 100644 maven/src/it/1551-verify-dependency-management/postbuild.groovy diff --git a/maven/src/it/1551-verify-dependency-management/invoker.properties b/maven/src/it/1551-verify-dependency-management/invoker.properties new file mode 100644 index 00000000000..d0293944b8a --- /dev/null +++ b/maven/src/it/1551-verify-dependency-management/invoker.properties @@ -0,0 +1,19 @@ +# +# This file is part of dependency-check-maven. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# Copyright (c) 2014 Jeremy Long. All Rights Reserved. +# + +invoker.goals = install -Danalyzer.central.enabled=false ${project.groupId}:${project.artifactId}:${project.version}:check -Dformat=ALL -DskipDependencyManagement=false diff --git a/maven/src/it/1551-verify-dependency-management/pom.xml b/maven/src/it/1551-verify-dependency-management/pom.xml new file mode 100644 index 00000000000..6e5976a1774 --- /dev/null +++ b/maven/src/it/1551-verify-dependency-management/pom.xml @@ -0,0 +1,34 @@ + + + + 4.0.0 + org.owasp.test + verify-dependency-management + 1.0.0-SNAPSHOT + pom + + + + com.fasterxml.jackson.dataformat + jackson-dataformat-xml + 2.6.3 + + + + diff --git a/maven/src/it/1551-verify-dependency-management/postbuild.groovy b/maven/src/it/1551-verify-dependency-management/postbuild.groovy new file mode 100644 index 00000000000..385af940151 --- /dev/null +++ b/maven/src/it/1551-verify-dependency-management/postbuild.groovy @@ -0,0 +1,32 @@ +/* + * This file is part of dependency-check-maven. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2014 Jeremy Long. All Rights Reserved. + */ + +import org.apache.commons.io.FileUtils; +import org.apache.commons.lang.StringUtils; +import java.nio.charset.Charset; + + +// Check to see if jackson-dataformat-xml-2.4.5.jar was identified. +//TODO change this to xpath and check for CVE-2016-3720 +String log = FileUtils.readFileToString(new File(basedir, "target/dependency-check-report.xml"), Charset.defaultCharset().name()); +int count = StringUtils.countMatches(log, "CVE-2017-15095"); +if (count == 0){ + System.out.println(String.format("jackson-dataformat-xml was not identified", count)); + return false; +} +return true;