search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.34k stars 1.26k forks source link

Issue with OWASP Dependency Check Plugin Configuration in Multi-Module Maven Project #6697

Open xiezhx9 opened 4 months ago

xiezhx9 commented 4 months ago

I am working on a multi-module Maven project and I would like to ensure that the configuration for the OWASP Dependency Check Plugin is correctly used by all modules in my project.

I have added the following plugin configuration to the parent POM file, with the intention that it will be applied to all child modules:

<project>  
  <properties>  
    <dependency-check-maven.version>9.2.0</dependency-check-maven.version>  
  </properties>  

  <build>  
    <plugins>  
      <plugin>  
        <groupId>org.owasp</groupId>  
        <artifactId>dependency-check-maven</artifactId>  
        <version>${dependency-check-maven.version}</version>  
        <executions>  
          <execution>  
            <goals>  
              <goal>aggregate</goal>   
            </goals>  
          </execution>  
        </executions>  
        <configuration>  
          <suppressionFiles>  
            <suppressionFile>src/owasp-dependency-check-suppressions.xml</suppressionFile>  
          </suppressionFiles>  
          <failBuildOnCVSS>7</failBuildOnCVSS>  
          <msbuildAnalyzerEnabled>false</msbuildAnalyzerEnabled>  
          <nodeAnalyzerEnabled>false</nodeAnalyzerEnabled>  
          <yarnAuditAnalyzerEnabled>false</yarnAuditAnalyzerEnabled>  
          <pyDistributionAnalyzerEnabled>false</pyDistributionAnalyzerEnabled>  
          <pyPackageAnalyzerEnabled>false</pyPackageAnalyzerEnabled>  
          <pipAnalyzerEnabled>false</pipAnalyzerEnabled>  
          <pipfileAnalyzerEnabled>false</pipfileAnalyzerEnabled>  
          <retireJsAnalyzerEnabled>false</retireJsAnalyzerEnabled>  
          <mixAuditAnalyzerEnabled>false</mixAuditAnalyzerEnabled>  
          <nugetconfAnalyzerEnabled>false</nugetconfAnalyzerEnabled>  
          <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>  
          <skipSystemScope>true</skipSystemScope>  
        </configuration>  
      </plugin>  
    </plugins>  
  </build>  

  <reporting>  
    <plugins>  
      <plugin>  
        <groupId>org.owasp</groupId>  
        <artifactId>dependency-check-maven</artifactId>  
        <version>${dependency-check-maven.version}</version>  
        <reportSets>  
          <reportSet>  
            <reports>  
              <report>aggregate</report>  
            </reports>  
          </reportSet>  
        </reportSets>  
      </plugin>  
    </plugins>  
  </reporting>  
</project>

My main questions are:

  1. Does the configuration specified in the parent POM automatically apply to all child modules in a multi-module Maven project?
  2. If not, is there any issue with the configuration I've mentioned above?

Furthermore, after adding the following pom.xml configuration, I noticed that the OWASP Dependency Check Plugin is downloading NVD (National Vulnerability Database) information for each module during the build process, which significantly slows it down.

<!-- skip maven source plugin due to
          Error: Failed to execute goal org.apache.maven.plugins:maven-source-plugin:3.3.0:jar-no-fork (attach-sources) on project buildtools:
          Presumably you have configured maven-source-plugin to execute twice times in your build.
          You have to configure a classifier for at least on of them.
          -->
          <plugin>
            <groupId>org.apache.maven.plugins</groupId>
            <artifactId>maven-source-plugin</artifactId>
            <configuration>
              <skipSource>true</skipSource>
            </configuration>
          </plugin>
jeremylong commented 4 months ago

With the setup specified ODC would run too many times - once with the specified configuration and once without. You can either put the plugin into the build/plugins or in the reporting - don't do both.

Regarding it re-running on each child module - you likely want to specify <inherited>false</inherited>.

xiezhx9 commented 4 months ago

Thank you for your response.

Additionally, I would like to ask if it is a recommended configuration to use <inherited>false</inherited> in the parent pom?

jeremylong commented 4 months ago

If you are running the aggregate goal - most of the time you would want <inherited>false</inherited>.