dependency-check-maven should support Maven's -o option

[dhoffer]

Describe the bug I am using dependency-check-maven in a large multi-module build, actually in this case its a software library build so has lots of sub-builds but I don't think that is relevant.

The problem is that in Maven when your in development and making code and dependency changes, its that local code that I want dependency-check-maven to scan. We use a Maven corporate repository (Artifactory) that the builds are published to as is standard in the Maven build world.

The problem with the plugin is that if run in online mode, e.g. mvn -Powasp-scan clean verify

where owasp-scan is our profile that enables dependency-check-maven it will often download a SNAPSHOT from Artifactory which is the old one w/o the CVE fixes. We need dependency-check-maven to only scan that which is local on the build system. The standard way to do this in Maven is to run the build offline, e.g. mvn -o -Powasp-scan clean verify

But now I get this message from dependency-check-maven:

[WARNING] Goal aggregate requires online mode for execution but Maven is currently offline, skipping

So now I have a chicken & egg problem. I can't generate reports of the new code only.

Why does dependency-check-maven require online? Yes it will have/require Internet access so that the dependency-check-maven can update its CVE data sources but it should not require that Maven must connect to Artifactory and download old SNAPSHOTS.

Version of dependency-check used The problem occurs using version 8.2.1 of the Maven (cli, gradle plugin, maven plugin, etc.)

[dhoffer]

Actually the large multimodule software library build might be relevant as the key is that there are several Maven builds going on each with their own Maven reactor build, where each build is free to use any of the other software library components so they will always be referenced from local .m2 repo which is good...or if online it will consult with Artifactory and that is what we don't want and -o is the standard way of telling Maven just use what you already have in .m2 repo.

[aikebah]

If you have a maven multimodule build the aggregate goal is supposed to be signalling that it will use (despite downloading 'up-to-date' snapshots from the Artifactory) the in-reactor pom as the source for establishing dependency versions of any in-reactor snapshot dependencies

[dhoffer]

@aikebah What I was trying to say is that each of the multimodule Maven builds reference other Maven artifacts that are in completely separate Maven builds. E.g. let me describe it a different way. We have 10 large applications that each have their own Maven build. Then we also have a component library that has 20 components that are shared both between the components and the 10 applications. The dependency-check-maven works fine for the in-reactor builds as it knows what is in those builds...but where the dependency-check-maven breaks down is when building any of the applications and any of the components that reference components not in the current 'in-reactor' build. That is why Maven has the -o flag (or at least one of the reasons) so one can tell Maven build against what I have locally and ignore Artifactory. But for some reason then the dependency-check-maven won't even generate a report.

[dhoffer]

So with the current dependency-check-maven behavior (no -o support) I basically have to generate the aggregate report of each component and of each application and then manually figure out which CVE(s) are coming from components not in the current 'in-reactor' build and ignore all of those as they are not correct...as they may be reporting based on what is in Artifactory and not the local changes. That is a tedious process. I'm just asking that dependency-check-maven add support for the standard Maven -o option so Maven can work offline as well as online.

[aikebah]

As an introductionary note: I do think it would be beneficial to add 'run in offline mode' capabilities, but that should then be implemented in a proper way (and leave you without the online resources, using only offline vulnerability data as the maven offline mode is meant to run maven without using network connectivity)

Having said that, regarding your case of:

The problem is that in Maven when your in development and making code and dependency changes, its that local code that I want dependency-check-maven to scan. We use a Maven corporate repository (Artifactory) that the builds are published to as is standard in the Maven build world.

The problem with the plugin is that if run in online mode, e.g. mvn -Powasp-scan clean verify

where owasp-scan is our profile that enables dependency-check-maven it will often download a SNAPSHOT from Artifactory which is the old one w/o the CVE fixes. We need dependency-check-maven to only scan that which is local on the build system. The standard way to do this in Maven is to run the build offline, e.g. mvn -o -Powasp-scan clean verify

should only happen if the snapshot in artifactory is more recent than your locally installed snapshot (likely because you have local edits in the project not commited to version control and CI automation mvn deploy-ed a new snapshot build to artifactory with the 'old' dependencies)