Maven Plugin - suppressionFiles not applied in a reactor build when defined through a parent pom and profile

[martinlau]

Describe the bug

Following the instructions in https://github.com/jeremylong/DependencyCheck/issues/3947#issuecomment-1005024826 trying to configure dependency check in a parent pom, with suppressions activated by the presence of a file in the child modules.

<profile>
            <id>suppressions</id>
            <activation>
                <file>
                    <exists>${basedir}/src/build/suppressions.xml</exists>
                </file>
            </activation>
            <build>
                <plugins>
                    <plugin>
                        <groupId>org.owasp</groupId>
                        <artifactId>dependency-check-maven</artifactId>
                        <version>7.1.2</version>
                        <configuration combine.children="append">
                            <suppressionFiles combine.children="append">
                                <suppressionFile>${project.basedir}/src/build/suppressions.xml</suppressionFile>
                            </suppressionFiles>
                        </configuration>
                    </plugin>
                </plugins>
            </build>
        </profile>

Debug logs show that the relevant files are referenced, however they don't seem to be used at runtime during a reactor build. When building the module in isolation things work as expected.

Version of dependency-check used

The problem occurs using version 7.1.2 of the maven plugin with maven 3.8.6 (also checked 6.0.x, 6.5.x and 7.0.x plugin versions and 3.8.x and 3.6.x maven versions - all exhibit the same behaviour),

Log file

https://github.com/martinlau/dependency-check-issue/blob/main/reactor-build.log

To Reproduce

1. Create a reactor (multi-module) project with a parent and a module2.
2. Define the dependency-check-maven plugin in the parent, with a profile as above.
3. Add a module which uses that parent, has a dependency with a known issue, and a suppression for that dependency
4. Run the reactor build

See https://github.com/martinlau/dependency-check-issue for an example.

Expected behavior

Reactor build (eg mvn clean install) should complete successfully in the same way that running each module independently does (eg mvn clean install --projects :parent; mvn clean install --projects :module-1).

[strangelookingnerd]

Duplicate of https://github.com/jeremylong/DependencyCheck/issues/4765 I guess?

[martinlau]

May be related, but I think it’s possibly different.

My example breaks with all the plug-in versions I could throw at it (including 7.1.1 which I assume from #4765 should work if it was the same issue?)

[aikebah]

@martinlau How is your multimodule structure? If I interpret the logs correctly it is

dependency-check-issue
+- pom.xml (with only modules parent, module-1 and module-2, not used as parent)
+- parent
|  +- pom.xml (with the profile definition)
|  \- ...
+- module-1
|  +- pom.xml (with parent as a parent, depending on log4j 2.15)
|  +- src
|  |  \- build
|  |     \- suppressions.xml (with suppression for log4j 2.15)
|  \- ...
+- module-2
|  \-... (project skipped, so no clue on contents, but irrelevant for the current 'how it is setup')

The structure for which the profile has been operating fine for me:

parent
+- ...
\- pom.xml (with the profile definition)

project-root
+- pom.xml (using the **external** parent as a root)
+- ...
+- submodule-1
|  +- pom.xml (using project-root as a parent)
|  \- ...
\- submodule
   +- pom.xml (using project-root as a parent)
   \- ...

As it's not working for you even with older versions of the plugin it's likely somewhat to do with the project structure in some way. Would be happy to do some further diving into it when I can reproduce the symptom locally, however to ensure it will work to resolve your issue it would be important to match your project structure setup.

[aikebah]

@martinlau never mind... I see you shared a reproducer on github, so I can work from that... sorry for the noise

[aikebah]

@martinlau I think you currently suffer from #4765. That it didn't work for you for older versions is likely because you did not update all occurences of the dependencycheck plugin version. When I run with 7.1.1 your project passes the checks (even passes if I only update all occurences of the plugin in the parent, as that will trigger different versions of the plugin (the children run 7.1.2, the parent runs 7.1.1) and therefor different classloaders in maven, which prevents the issue of #4765)

I recommend defining a version property in the parent, so that you upgrade it in all places with a single edit (with the added benefit that you are able to override it in maven settings.xml or maven command-line to a more recent version of the plugin as long as it is compatible with the plugin configuration - which will be the case most of the time)

[martinlau]

Ahh, well spotted. In my real project that’s exactly what I have, is only this example where I duplicated it. My turn to apologise for the noise!

I’ll keep an eye on #4765

[aikebah]

closing ticket as a duplicate