0

I''m using the Maven Plugin of the OWASP Dependency Check in a multimodule project.

Currently, the XML report provided by the dependency check only contains the below information, which doesn't include the "Component" version for which we are doing the scan.

Is there is any way to include it in the report we generate . (In this case it would be parent.version) 

<projectInfo>
        <name>Component</name>
        <reportDate>2017-02-17T15:57:38.041+0530</reportDate>
        <credits>This report contains data retrieved from the National Vulnerability Database: http://nvd.nist.gov</credits>
    </projectInfo>

Adding the pom.xml file here

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">

    <parent>
        <groupId>org.comp.carb</groupId>
        <artifactId>carb-parent</artifactId>
        <version>4.4.12</version>
        <relativePath>../parent/pom.xml</relativePath>
    </parent>

    <modelVersion>4.0.0</modelVersion>
    <artifactId>carb-kernel</artifactId>
    <packaging>pom</packaging>
    <name>comp carb - Parent Maven Project</name>
    <description>carb-parent</description>
    <url>http://comp.org</url>

    <licenses>
        <license>
            <name>Apache License Version 2.0</name>
            <url>http://www.apache.org/licenses/LICENSE-2.0</url>
        </license>
    </licenses>

    <organization>
        <name>comp Inc</name>
        <url>http://comp.com</url>
    </organization>

    <issueManagement>
        <system>JIRA</system>
        <url>https://comp.org/jira/browse/carb</url>
    </issueManagement>

    <mailingLists>
        <mailingList>
            <name>comp carb Developers' List</name>
            <post>mailto:carb-dev@comp.org</post>
            <archive>http://www.comp.org/mailarchive/carb-dev/</archive>
            <subscribe>mailto:carb-dev-request@comp.org?subject=subscribe</subscribe>
            <unsubscribe>mailto:carb-dev-request@comp.org?subject=unsubscribe</unsubscribe>
        </mailingList>
        <mailingList>
            <name>comp Architecture List</name>
            <post>mailto:architecture@comp.org</post>
            <archive>http://comp.org/mailarchive/architecture/</archive>
            <subscribe>mailto:architecture-request@comp.org?subject=subscribe</subscribe>
            <unsubscribe>mailto:architecture-request@comp.org?subject=unsubscribe</unsubscribe>
        </mailingList>
    </mailingLists>


    <build>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-compiler-plugin</artifactId>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-surefire-plugin</artifactId>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-resources-plugin</artifactId>
            </plugin>
            <plugin>
                <groupId>org.apache.felix</groupId>
                <artifactId>maven-scr-plugin</artifactId>
            </plugin>
            <plugin>
                <groupId>org.owasp</groupId>
                <artifactId>dependency-check-maven</artifactId>
                <version>1.4.4.1</version>
                <executions>
                    <execution>
                        <phase>test</phase>
                        <goals>
                            <goal>check</goal>
                        </goals>
                    </execution>
                </executions>
                <configuration>
                    <!-- UNCOMMENT BELOW TAG TO FAILD BUILD ON HIGH+ ISSUE -->
                    <!-- <failBuildOnCVSS>7</failBuildOnCVSS> -->
                    <format>ALL</format>
                    <outputDirectory>${project.build.directory}/security</outputDirectory>
                    <suppressionFile>/home/prakhash/Downloads/MavenBasedSecurityAutomation/carb-kernel/core/org.comp.carb.ui/supress.xml</suppressionFile>
                    <hintsFile>https://raw.githubusercontent.com/ayomawdb/dependencycheck-rules-test/master/global-dependencycheck-hints.xml</hintsFile>
                </configuration>
            </plugin>
            <plugin>
                <groupId>org.codehaus.mojo</groupId>
                <artifactId>xml-maven-plugin</artifactId>
                <version>1.0.1</version>
                <executions>
                    <execution>
                        <phase>package</phase>
                        <goals>
                            <goal>transform</goal>
                        </goals>
                    </execution>
                </executions>
                <configuration>
                    <transformationSets>
                        <transformationSet>
                            <dir>${project.build.directory}/security</dir>
                            <outputDir>${project.build.directory}/security</outputDir>
                            <stylesheet>/home/prakhash/compProducts/DependencyCheck/dependency.xsl</stylesheet>
                             <parameters>
                                <parameter>
                                  <name>MyParam</name>
                                  <value>test</value>
                                </parameter>
                              </parameters>
                            <includes>dependency-check-report.xml</includes>
                            <fileMappers>
                                <fileMapper implementation="org.codehaus.plexus.components.io.filemappers.FileExtensionMapper">
                                    <targetExtension>.html</targetExtension>
                                </fileMapper>
                            </fileMappers>
                        </transformationSet>
                    </transformationSets>
                </configuration>
            </plugin>
        </plugins>
        <testResources>
            <testResource>
                <directory>
                    ${basedir}/../../distribution/kernel/carb-home/lib/core/WEB-INF/classes/
                </directory>
                <includes>
                    <include>log4j.properties</include>
                </includes>
            </testResource>
            <testResource>
                <directory>src/main/java</directory>
                <includes>
                    <include>**/*.xml</include>
                </includes>
            </testResource>
            <testResource>
                <directory>src/test/resources</directory>
                <includes>
                    <include>**/*.xml</include>
                    <include>**/*.properties</include>
                </includes>
            </testResource>
        </testResources>
    </build>

    <modules>
        <module>javax.cache</module>
        <module>org.comp.carb.tomcat</module>
        <module>org.comp.carb.tomcat.ext</module>
        <module>org.comp.carb.registry.api</module>
    </modules>
</project>
Lii
  • 11,553
  • 8
  • 64
  • 88
Prakhash
  • 644
  • 2
  • 9
  • 20
  • Can you share your pom.xml ? Or at least the snippet where you have used this plugin. – GauravJ Feb 20 '17 at 04:33
  • Added the pom.xml to the question – Prakhash Feb 20 '17 at 04:42
  • could you run plugin with aggregate goal instead of check ? – GauravJ Feb 20 '17 at 04:49
  • Still no luck, there is no model version in the report – Prakhash Feb 20 '17 at 05:03
  • Let me understand it correctly, Do you need model version (pom.xml) in report ? – GauravJ Feb 20 '17 at 05:28
  • Yes, in a multi-module project the reports get generated for each and every module. so for every module, with the module name as displayed inside Component I need to get the module version. – Prakhash Feb 20 '17 at 06:05
  • module version is different from model version. Model version is pom.xml version which remains same unless new capabilities are added in new maven release. – GauravJ Feb 20 '17 at 06:34
  • Sorry for the confusion in the last comment. It is model version as I have already mentioned in the question 4.0.0 – Prakhash Feb 20 '17 at 06:41
  • model version is not relevant. Its version of pom that is used in project. What would you do with this version ? It will not tell you anything about the project. – GauravJ Feb 20 '17 at 06:43
  • Oh got confused with the requirement. Thanks for correcting ( Was thinking modelversion defined the subcomponent version). So can you please guide me to add the Version in the output. That has to be from the parent element. (parent.version) – Prakhash Feb 20 '17 at 06:52
  • Edited the question as well. Thanks @Gauravj – Prakhash Feb 20 '17 at 06:55

1 Answers1

1

I have checked the source code of dependency-check-maven and unfortunately there is no component version information. See the following xsd snippet from source code,

  <xs:element name="projectInfo">
        <xs:complexType>
             <xs:sequence>
               <xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
               <xs:element name="reportDate" type="xs:string" minOccurs="1" maxOccurs="1" />
               <xs:element name="credits" type="xs:string" minOccurs="1" maxOccurs="1" />
            </xs:sequence>
        </xs:complexType>
  </xs:element>

Although when you generate mvn site, it has complete context with component version. Logically speaking, this is what you will actually do when generating report. XML reports is not meant for human consumption.

You can raise an enhancement request if you think this is a valid requirement for you.

GauravJ
  • 2,162
  • 1
  • 22
  • 28