Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

maven plugin should look at more than just java dependencies #1421

Closed
aw-was-here opened this issue Aug 5, 2018 · 8 comments
Closed

maven plugin should look at more than just java dependencies #1421

aw-was-here opened this issue Aug 5, 2018 · 8 comments
Labels

Comments

@aw-was-here
Copy link

It would appear that if a maven project has more than just Java bits, the dependency check plugin doesn't take those extra parts into consideration.

For example, Apache Hadoop has a package.json that doesn't seem to be getting found despite being in a directory that is part of the (default) scan set.

This is obviously bad for two reasons:

a) To get a complete audit, one is running both the maven plugin and the standalone version on a source tree, doubling the amount of time/resources required
b) Users may be led into a false sense of security because they may believe the maven plugin is actually checking everything.

@stevespringett
Copy link
Collaborator

The Maven plugin defaults to using standard Maven conventions and scans files in:

  • src/main/resources
  • src/main/filters
  • src/main/webapp

If package.json is located in one of these directories, it will be scanned. If the file is outside the directories defined by Maven conventions, you can use the scanSet parameter to specify the directories you want to scan.

Refer to https://jeremylong.github.io/DependencyCheck/dependency-check-maven/configuration.html

I did a quick scan of hadoop-yarn-ui using the following command:

mvn org.owasp:dependency-check-maven:3.3.0:check

and it did find 4 vulnerable Node components using the built-in NSP Analyzer.

@aw-was-here
Copy link
Author

Hmm. I've been using :aggregate and it definitely does not report on any of the Node components. Running :check does.

Maybe I misunderstood what aggregate does. My goal is to get one report for the entirety of the project. If it isn't actually running through all of the modules, that's less than helpful. :(

@jeremylong jeremylong added the bug label Aug 5, 2018
@jeremylong
Copy link
Owner

This is a bit if an oversight and I'm glad you reported it. The intent is that the aggregate goal would scan the standard directories - but I can guarantee that right now it does not. As you have seen, the aggregate goal only scans dependencies defined in the pom.xml.

@jeremylong
Copy link
Owner

@aw-was-here is there any chance the project is available on github? If not - can you tell us the project layout for the maven build and where the package.json exists?

jeremylong added a commit that referenced this issue Aug 5, 2018
jeremylong added a commit that referenced this issue Aug 5, 2018
@aw-was-here
Copy link
Author

Awesome, thanks!

Yes, it's definitely on github: https://github.com/apache/hadoop

It's a large project that has lots of stuff in it: java, python, node.js, cmake, ... so it's been a great test bed as we write support for dependency check into Apache Yetus (https://github.com/apache/yetus), another ASF project that is focused on build and release tooling.

@aw-was-here
Copy link
Author

I tested the patch on my machine and it is now showing the node.js vulnerabilities. Great!

@stevespringett
Copy link
Collaborator

@aw-was-here Good catch. Thanks for reporting. I've reviewed Jeremy's patch and it looks correct, so I think the next release should fix this issue.

@lock
Copy link

lock bot commented Sep 27, 2018

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked and limited conversation to collaborators Sep 27, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

No branches or pull requests

3 participants