add option to verify <dependencyManagement/> section in POM

maven/src/it/1551-verify-dependency-management/invoker.properties

@@ -0,0 +1,19 @@
+#
+# This file is part of dependency-check-maven.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+#
+
+invoker.goals = install -Danalyzer.central.enabled=false ${project.groupId}:${project.artifactId}:${project.version}:check -Dformat=ALL -DskipDependencyManagement=false

maven/src/it/1551-verify-dependency-management/pom.xml

@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+This file is part of dependency-check-maven.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+Copyright (c) 2017 Jeremy Long. All Rights Reserved.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <groupId>org.owasp.test</groupId>
+    <artifactId>verify-dependency-management</artifactId>
+    <version>1.0.0-SNAPSHOT</version>
+    <packaging>pom</packaging>
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+              <groupId>com.fasterxml.jackson.dataformat</groupId>
+              <artifactId>jackson-dataformat-xml</artifactId>
+              <version>2.6.3</version>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+</project>

maven/src/it/1551-verify-dependency-management/postbuild.groovy

@@ -0,0 +1,32 @@
+/*
+ * This file is part of dependency-check-maven.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+
+import org.apache.commons.io.FileUtils;
+import org.apache.commons.lang.StringUtils;
+import java.nio.charset.Charset;
+
+
+// Check to see if jackson-dataformat-xml-2.4.5.jar was identified.
+//TODO change this to xpath and check for CVE-2016-3720
+String log = FileUtils.readFileToString(new File(basedir, "target/dependency-check-report.xml"), Charset.defaultCharset().name());
+int count = StringUtils.countMatches(log, "<name>CVE-2017-15095</name>");
+if (count == 0){
+    System.out.println(String.format("jackson-dataformat-xml was not identified", count));
+    return false;
+}
+return true;

maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java

@@ -36,12 +36,14 @@
 import org.apache.maven.settings.Proxy;
 import org.apache.maven.settings.Server;
 import org.apache.maven.shared.transfer.artifact.ArtifactCoordinate;
+import org.apache.maven.shared.transfer.artifact.DefaultArtifactCoordinate;
 import org.apache.maven.shared.transfer.artifact.TransferUtils;
 import org.apache.maven.shared.transfer.artifact.resolve.ArtifactResolver;
 import org.apache.maven.shared.transfer.artifact.resolve.ArtifactResolverException;
 import org.apache.maven.shared.dependency.graph.DependencyGraphBuilder;
 import org.apache.maven.shared.dependency.graph.DependencyGraphBuilderException;
 import org.apache.maven.shared.dependency.graph.DependencyNode;
+import org.apache.maven.shared.dependency.graph.internal.DefaultDependencyNode;
 import org.apache.maven.shared.model.fileset.FileSet;
 import org.apache.maven.shared.model.fileset.util.FileSetManager;
 import org.owasp.dependencycheck.Engine;
@@ -562,6 +564,13 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
     @Parameter(property = "skipSystemScope", defaultValue = "false", required = false)
     private boolean skipSystemScope = false;
 
+    /**
+     * Skip Analysis for dependencyManagement section.
+     */
+    @SuppressWarnings("CanBeFinal")
+    @Parameter(property = "skipDependencyManagement", defaultValue = "true", required = false)
+    private boolean skipDependencyManagement = true;
+
     /**
      * Skip analysis for dependencies which type matches this regular
      * expression.
@@ -891,6 +900,48 @@ protected ExceptionCollection scanArtifacts(MavenProject project, Engine engine,
         }
     }
 
+    private DependencyNode toDependencyNode(ProjectBuildingRequest buildingRequest, DependencyNode parent, org.apache.maven.model.Dependency dependency)
+        throws ArtifactResolverException {
+
+        DefaultArtifactCoordinate coordinate = new DefaultArtifactCoordinate();
+
+        coordinate.setGroupId(dependency.getGroupId());
+        coordinate.setArtifactId(dependency.getArtifactId());
+        coordinate.setVersion(dependency.getVersion());
+        coordinate.setExtension(dependency.getType());
+        coordinate.setClassifier(dependency.getClassifier());
+
+        Artifact artifact = artifactResolver.resolveArtifact(buildingRequest, coordinate).getArtifact();
+
+        artifact.setScope(dependency.getScope());
+
+        DefaultDependencyNode node = new DefaultDependencyNode(parent, artifact, dependency.getVersion(), dependency.getScope(), null);
+
+        return node;
+
+    }
+
+    private ExceptionCollection collectDependencyManagementDependencies(ProjectBuildingRequest buildingRequest, MavenProject project,
+        List<DependencyNode> nodes, boolean aggregate) {
+        if (skipDependencyManagement || project.getDependencyManagement() == null) {
+            return null;
+        }
+
+        ExceptionCollection exCol = null;
+        for (org.apache.maven.model.Dependency dependency : project.getDependencyManagement().getDependencies()) {
+            try {
+                nodes.add(toDependencyNode(buildingRequest, null, dependency));
+            } catch (ArtifactResolverException ex) {
+                getLog().debug(String.format("Aggregate : %s", aggregate));
+                if (exCol == null) {
+                    exCol = new ExceptionCollection();
+                }
+                exCol.addException(ex);
+            }
+        }
+        return exCol;
+    }
+
     /**
      * Resolves the projects artifacts using Aether and scans the resulting
      * dependencies.
@@ -906,7 +957,7 @@ protected ExceptionCollection scanArtifacts(MavenProject project, Engine engine,
      */
     private ExceptionCollection collectMavenDependencies(Engine engine, MavenProject project,
             List<DependencyNode> nodes, ProjectBuildingRequest buildingRequest, boolean aggregate) {
-        ExceptionCollection exCol = null;
+        ExceptionCollection exCol = collectDependencyManagementDependencies(buildingRequest, project, nodes, aggregate);
         for (DependencyNode dependencyNode : nodes) {
             if (artifactScopeExcluded.passes(dependencyNode.getArtifact().getScope())
                     || artifactTypeExcluded.passes(dependencyNode.getArtifact().getType())) {

maven/src/site/markdown/configuration.md

@@ -28,6 +28,7 @@ skipProvidedScope           | Skip analysis for artifacts with Provided Scope.
 skipRuntimeScope            | Skip analysis for artifacts with Runtime Scope.            | false
 skipSystemScope             | Skip analysis for artifacts with System Scope.             | false
 skipTestScope               | Skip analysis for artifacts with Test Scope.               | true
+skipDependencyManagement    | Skip analysis for dependencyManagement sections.           | true
 skipArtifactType            | A regular expression used to filter/skip artifact types.   |  
 suppressionFiles            | The file paths to the XML suppression files \- used to suppress [false positives](../general/suppression.html). |  
 hintsFile                   | The file path to the XML hints file \- used to resolve [false negatives](../general/hints.html).       |  
@@ -129,4 +130,3 @@ are configured in the Maven settings file you must tell dependency-check which p
 Property             | Description                                                                          | Default Value
 ---------------------|--------------------------------------------------------------------------------------|------------------
 mavenSettingsProxyId | The id for the proxy, configured via settings.xml, that dependency-check should use. |  
-