Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Scan Maven Plugins #5001

Merged
merged 26 commits into from
Jan 11, 2023
Merged

feat: Scan Maven Plugins #5001

merged 26 commits into from
Jan 11, 2023

Conversation

jeremylong
Copy link
Owner

Fixes Issue #4035

Adds the ability to scan the plugins of a Maven project (via the org.owasp:dependency-check-maven plugin - not the CLI).

  • Introduced includedBy to the HTML, XML, and JSON reports when scanning with the Maven Plugin. includedBy is the root of the dependency tree (i.e. if a transitive dependency is scanned, the includedBy will be a direct dependency). Note that when using the maven plugin includedBy will be added even when plugins are not scanned.

@boring-cyborg boring-cyborg bot added core changes to core maven changes to the maven plugin tests test cases labels Oct 29, 2022
@jeremylong jeremylong added this to the 8.0.0 milestone Oct 29, 2022
@jeremylong jeremylong mentioned this pull request Oct 30, 2022
Closed
@boring-cyborg boring-cyborg bot added the documentation site documentation label Oct 31, 2022
@jeremylong
Copy link
Owner Author

@mprins thanks for the suggestion!

@jeremylong jeremylong changed the title Scan Maven Plugins feat: Scan Maven Plugins Nov 19, 2022
aikebah
aikebah requested changes Dec 3, 2022
View reviewed changes
Copy link
Collaborator

@aikebah aikebah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviews that should be addressed before merge in my view are :
https://github.com/jeremylong/DependencyCheck/pull/5001/files/fdc8896ec749c8f865e47ed529e58affa9bc7e0d#r1020950469

and
https://github.com/jeremylong/DependencyCheck/pull/5001/files/fdc8896ec749c8f865e47ed529e58affa9bc7e0d#r1020965735

jeremylong and others added 13 commits January 1, 2023 03:57
@jeremylong
feat: add mojo to scan plugins, resolves #4035
03b844b
@jeremylong
fix: add all included by during merge
c6ada0a
@jeremylong
feat: add includedBy to reports
61a68b1
@jeremylong
style: make checkstyle happier
769c93c
@jeremylong @mprins
Update maven/src/main/java/org/owasp/dependencycheck/maven/BaseDepend…
b110e4c 
…encyCheckMojo.java

Co-authored-by: Mark Prins <1165786+mprins@users.noreply.github.com>
@jeremylong
doc: document new config option
3b4196b
@jeremylong
style: checkstyle suggestion
ce27552
@jeremylong
style: checkstyle
76e66d5
@jeremylong
feat: enable users to only scan plugins
2284f58
@jeremylong @aikebah
Update maven/src/main/java/org/owasp/dependencycheck/maven/BaseDepend…
ac4cfbd 
…encyCheckMojo.java

Co-authored-by: Hans Aikema <aikebah-github@aikebah.net>
@jeremylong @aikebah
Update maven/src/main/java/org/owasp/dependencycheck/maven/BaseDepend…
1b4059d 
…encyCheckMojo.java

Co-authored-by: Hans Aikema <aikebah-github@aikebah.net>
@jeremylong @aikebah
Update maven/src/main/java/org/owasp/dependencycheck/maven/BaseDepend…
d191a6c 
…encyCheckMojo.java

Co-authored-by: Hans Aikema <aikebah-github@aikebah.net>
@jeremylong
fix: Update core/src/main/resources/schema/dependency-check.2.5.xsd
a77c65f
@boring-cyborg boring-cyborg bot added ant changes to ant cli changes to the cli utils changes to utils labels Jan 7, 2023
@jeremylong
Copy link
Owner Author

@aikebah I think I'm good with the 8.0.0 PRs now. Planning on spending this week integrating the 8.0.0 PRs and testing so we can finally get these released. Please let me know if you see any additional issues/concerns.

aikebah
aikebah requested changes Jan 10, 2023
View reviewed changes
Copy link
Collaborator

@aikebah aikebah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See review, think we should stay on the safe side with internal Maven vars.... with that integrated all looks good to me

maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java Outdated Show resolved Hide resolved
@jeremylong @aikebah
Update maven/src/main/java/org/owasp/dependencycheck/maven/BaseDepend…
7adf45e 
…encyCheckMojo.java

Co-authored-by: Hans Aikema <aikebah-github@aikebah.net>
@aikebah
Copy link
Collaborator

aikebah commented Jan 10, 2023

@jeremylong I'll leave the merge-sequence decision up to you.... my gut feel would be first the Known exploited and then the maven plugin would be the easiest to resolve any emerging merge conflicts

@jeremylong jeremylong merged commit da733c4 into main Jan 11, 2023
@pitprok
Copy link

pitprok commented Jan 23, 2023
edited

Based on this dependency-check-sonar-plugin#748 includedBy broke the parsing of the reports.

[INFO] 17:06:11.358 Using JSON-Reportparser
[WARNING] 17:06:11.651 JSON-Analysis aborted
[DEBUG] 17:06:11.653 Problem with JSON-Report-Mapping
org.sonar.dependencycheck.parser.ReportParserException: Problem with JSON-Report-Mapping
	at org.sonar.dependencycheck.parser.JsonReportParserHelper.parse(JsonReportParserHelper.java:44)
	at org.sonar.dependencycheck.DependencyCheckSensor.parseAnalysis(DependencyCheckSensor.java:71)
	at org.sonar.dependencycheck.DependencyCheckSensor.execute(DependencyCheckSensor.java:150)
	at org.sonar.scanner.sensor.AbstractSensorWrapper.analyse(AbstractSensorWrapper.java:48)
	at org.sonar.scanner.sensor.ProjectSensorsExecutor.execute(ProjectSensorsExecutor.java:49)
	at org.sonar.scanner.scan.ProjectScanContainer.doAfterStart(ProjectScanContainer.java:360)
	at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:137)
	at org.sonar.core.platform.ComponentContainer.execute(ComponentContainer.java:123)
	at org.sonar.scanner.bootstrap.GlobalContainer.doAfterStart(GlobalContainer.java:150)
	at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:137)
	at org.sonar.core.platform.ComponentContainer.execute(ComponentContainer.java:123)
	at org.sonar.batch.bootstrapper.Batch.doExecute(Batch.java:72)
	at org.sonar.batch.bootstrapper.Batch.execute(Batch.java:66)
	at org.sonarsource.scanner.api.internal.batch.BatchIsolatedLauncher.execute(BatchIsolatedLauncher.java:46)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.lang.reflect.Method.invoke(Unknown Source)
	at org.sonarsource.scanner.api.internal.IsolatedLauncherProxy.invoke(IsolatedLauncherProxy.java:60)
	at com.sun.proxy.$Proxy45.execute(Unknown Source)
	at org.sonarsource.scanner.api.EmbeddedScanner.doExecute(EmbeddedScanner.java:189)
	at org.sonarsource.scanner.api.EmbeddedScanner.execute(EmbeddedScanner.java:138)
	at org.sonarsource.scanner.maven.bootstrap.ScannerBootstrapper.execute(ScannerBootstrapper.java:65)
	at org.sonarsource.scanner.maven.SonarQubeMojo.execute(SonarQubeMojo.java:108)
	at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:137)
	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:210)
	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:156)
	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:148)
	at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:117)
	at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:81)
	at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:56)
	at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:128)
	at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:305)
	at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:192)
	at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:105)
	at org.apache.maven.cli.MavenCli.execute(MavenCli.java:957)
	at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:289)
	at org.apache.maven.cli.MavenCli.main(MavenCli.java:193)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.lang.reflect.Method.invoke(Unknown Source)
	at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:282)
	at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:225)
	at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:406)
	at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:347)
Caused by: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "includedBy" (class org.sonar.dependencycheck.parser.element.Dependency), not marked as ignorable (9 known properties: "filePath", "evidenceCollected", "sha1", "fileName", "vulnerabilities", "vulnerabilityIds", "packages", "md5", "identifiers"])
 at [Source: (sun.nio.ch.ChannelInputStream); line: 1, column: 6225] (through reference chain: org.sonar.dependencycheck.parser.element.Analysis["dependencies"]->java.util.ArrayList[0]->org.sonar.dependencycheck.parser.element.Dependency["includedBy"])
	at com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException.from(UnrecognizedPropertyException.java:61)
	at com.fasterxml.jackson.databind.DeserializationContext.handleUnknownProperty(DeserializationContext.java:855)
	at com.fasterxml.jackson.databind.deser.std.StdDeserializer.handleUnknownProperty(StdDeserializer.java:1212)
	at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.handleUnknownProperty(BeanDeserializerBase.java:1604)
	at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.handleUnknownProperties(BeanDeserializerBase.java:1554)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeUsingPropertyBased(BeanDeserializer.java:511)
	at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.deserializeFromObjectUsingNonDefault(BeanDeserializerBase.java:1322)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserializeFromObject(BeanDeserializer.java:331)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:164)
	at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:290)
	at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:249)
	at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:26)
	at com.fasterxml.jackson.databind.deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:542)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeWithErrorWrapping(BeanDeserializer.java:535)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeUsingPropertyBased(BeanDeserializer.java:419)
	at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.deserializeFromObjectUsingNonDefault(BeanDeserializerBase.java:1322)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserializeFromObject(BeanDeserializer.java:331)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:164)
	at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4526)
	at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3505)
	at org.sonar.dependencycheck.parser.JsonReportParserHelper.parse(JsonReportParserHelper.java:40)
	... 45 common frames omitted

Is there a way to disable that field or do we have to wait for it to be fixed?

@jeremylong jeremylong deleted the plugins branch February 27, 2023 13:38
@Marcono1234 Marcono1234 mentioned this pull request Jul 12, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mprins mprins mprins requested changes

@aikebah aikebah aikebah approved these changes

Assignees
No one assigned
Labels
ant changes to ant cli changes to the cli core changes to core documentation site documentation maven changes to the maven plugin tests test cases utils changes to utils
Projects
None yet
Milestone
8.0.0
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@jeremylong @aikebah @pitprok @mprins