search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.42k stars 1.28k forks source link

Maven Plugin: Add excludes and includes functionality #1009

Open najibk opened 6 years ago

najibk commented 6 years ago

Hello,

I have 2 questions in the same subject of ignoring dependencies used for tests :

  1. Is it possible to ignore checking test dependencies ? since they won't be used in production so they aren't very important.
  2. With suppression mechanism I don't see how I can pass a whole dependency to ignore (with its sub dependencies) so I don't have to list each and every subdependency in the xml file. This is useful in case of dependencies used for test

Thanks !

jeremylong commented 6 years ago

What are you using to run dependency-check? Maven or Gradle?

najibk commented 6 years ago

thanks for the quick reply, I'm using maven

jeremylong commented 6 years ago

By default test scoped dependencies should be skipped. Can you point to a sample project?

On Nov 28, 2017 7:02 AM, "najibk" notifications@github.com wrote:

thanks for the quick reply, I'm using maven

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/jeremylong/DependencyCheck/issues/1009#issuecomment-347501984, or mute the thread https://github.com/notifications/unsubscribe-auth/AA0qwgYy66VF0dF82dUZcae4MsM9bxK0ks5s6_XYgaJpZM4QtHa3 .

najibk commented 6 years ago

you're right, my bad, the scope wasn't correctly placed in all dependencies, however it still could be useful to be able to ignore the check of a dependency (and all its sub dependencies). Is there a way to achieve this ?

jeremylong commented 6 years ago

No, it is not possible to skip a specific library. I know many tools have an <includes> and <excludes> configuration option. We haven't had a request for this (I suppose until now).

wilkko commented 5 years ago

Can the excludes property be used for excluding a reactor module that has compile scoped dependencies which in turn have transitive dependency that cause warnings for us? We would like to exclude some of our "test" modules somehow from the dependency-check build.

The 5.0.0-M3 documentation says you can use "excludes" configuration on aggregate goal now.

I tried without success:

<build>
        <pluginManagement>
            <plugins>
                <plugin>
                    <groupId>org.owasp</groupId>
                    <artifactId>dependency-check-maven</artifactId>
                    <version>5.0.0-M3</version>
                    <configuration>
                        <excludes>com.example.test:reusable-contract-tests:1.0.0-SNAPSHOT</excludes>
                    </configuration>
                </plugin>
            </plugins>
        </pluginManagement>
    </build>

and

   <build>
        <pluginManagement>
            <plugins>
                <plugin>
                    <groupId>org.owasp</groupId>
                    <artifactId>dependency-check-maven</artifactId>
                    <version>5.0.0-M3</version>
                    <configuration>
                        <excludes>
                            <exclude>com.example.test:reusable-contract-tests:1.0.0-SNAPSHOT</exclude>
                        </excludes>
                    </configuration>
                </plugin>
            </plugins>
        </pluginManagement>
    </build>

Then run mvn compile dependency-check:aggregate

JSamir commented 4 years ago

I also could not find any information how the excludes are supposed to work, nothing I tried works.

How are excludes supposed to work? How can we accomplish the exclusion of a reactor artifact?

jeremylong commented 4 years ago

@JSamir this is an enhancement request which has not been implemented (i.e. it is still open). We accept PRs...

Currently the only exclude functionality is when configuring ScanSets - these would be for scanning directories that contain things like JavaScript that are not part of the reactor.

JSamir commented 4 years ago

@jeremylong thanks for the quick answer. Can you please confirm that it is currently not possible to exclude a reactor module within a project structure like this if this module is a dependency for another module within this reactor project?

parent
  child1
  child2
  child3
  pom.xml

child3 is a dependency within the pom.xml of child1. child3 is also configured to be skipped (in it's own pom.xml).

If I do mvn verify in the parent folder, child3 will be skipped and there is no report generated in the target folder of child3.

But, in the report generated for the parent, all vulnerabilities from child3 are listed because child3 is a dependency for child1.

This makes total sense for a non-reactor project, but I was expecting that for a reactor project the plugin recognizes that a module is to be skipped in the analysis and therefore should also be skipped as dependency in other projects within the parent.

So it is impossible completely exclude a module in a reactor project if it is also a dependency for other modules?

jeremylong commented 4 years ago

The skip configuration only skips executing ODC on the module. It does not impact if the module is referenced as a dependency in another module.

m-coder99 commented 2 years ago

Hello, I am configuring dependency-check-maven plugin in multi-module pom project. I want scan only parent pom dependencies. If I give goal check it not scanning any dpendency. Why?

lukesolar commented 2 years ago

@wilkko try removing the version. <exclude>groupId:artifactId</exclude>

This example is working for me

<excludes>
  <exclude>com.fasterxml.jackson.core:jackson-databind</exclude>
  <exclude>org.apache.httpcomponents:httpclient</exclude>
</excludes>
saugion commented 1 year ago

This example is working for me

<excludes>
  <exclude>com.fasterxml.jackson.core:jackson-databind</exclude>
  <exclude>org.apache.httpcomponents:httpclient</exclude>
</excludes>

I have a project with submodules, something like

Parent
      |
      |-- Child as dep
      |-- other deps

when I run the dependency-check command the plugin is not able to find the submodule's jar because it has not been already installed on the repo, as the installation happens after the dependency-check step. If I run it again it works fine, as the jar has been installed and it is correctly found.

My solution to this would be to exclude the submodule's check from the parent, because the given submodule is already analysed and I don't need to analyse it more than once.

I've put the following to the parent's pom, but it does not work:

<build>
  <plugins>
    <plugin>
      <groupId>org.owasp</groupId>
      <artifactId>dependency-check-maven</artifactId>
      <configuration>
        <excludes>main-group:child-artifact</excludes>
      </configuration>
    </plugin>
  </plugins>
</build>

also tried with

<build>
  <plugins>
    <plugin>
      <groupId>org.owasp</groupId>
      <artifactId>dependency-check-maven</artifactId>
      <configuration>
        <excludes>
          <exclude>main-group:child-artifact</exclude>
        <excludes>
      </configuration>
    </plugin>
  </plugins>
</build>

What am i doing wrong? Thanks

nightswimmings commented 1 year ago

I think all these forms of error have nothing to do with the plugin, but the way reactor (internal multimodule maven engine) works. It's not dependency-check who pulls in the inner transitive dependencies.

The easy way to fix it is add a compile (or test-compile, if you need it) goal in the default-cli call for the depednency-check

mvn compile org.owasp:dependency-check-maven:8.2.1:check ...

Sill, it can make sense to keep <excluding> the inner library, since otherwise were analyzing twice the dependency