maven plugin should look at more than just java dependencies

[aw-was-here]

It would appear that if a maven project has more than just Java bits, the dependency check plugin doesn't take those extra parts into consideration.

For example, Apache Hadoop has a package.json that doesn't seem to be getting found despite being in a directory that is part of the (default) scan set.

This is obviously bad for two reasons:

a) To get a complete audit, one is running both the maven plugin and the standalone version on a source tree, doubling the amount of time/resources required
b) Users may be led into a false sense of security because they may believe the maven plugin is actually checking everything.

[stevespringett]

The Maven plugin defaults to using standard Maven conventions and scans files in:

• src/main/resources
• src/main/filters
• src/main/webapp

If package.json is located in one of these directories, it will be scanned. If the file is outside the directories defined by Maven conventions, you can use the scanSet parameter to specify the directories you want to scan.

Refer to https://jeremylong.github.io/DependencyCheck/dependency-check-maven/configuration.html

I did a quick scan of hadoop-yarn-ui using the following command:

mvn org.owasp:dependency-check-maven:3.3.0:check

and it did find 4 vulnerable Node components using the built-in NSP Analyzer.

[aw-was-here]

Hmm. I've been using :aggregate and it definitely does not report on any of the Node components. Running :check does.

Maybe I misunderstood what aggregate does. My goal is to get one report for the entirety of the project. If it isn't actually running through all of the modules, that's less than helpful. :(

[jeremylong]

This is a bit if an oversight and I'm glad you reported it. The intent is that the aggregate goal would scan the standard directories - but I can guarantee that right now it does not. As you have seen, the aggregate goal only scans dependencies defined in the pom.xml.

[jeremylong]

@aw-was-here is there any chance the project is available on github? If not - can you tell us the project layout for the maven build and where the package.json exists?

[aw-was-here]

Awesome, thanks!

Yes, it's definitely on github: https://github.com/apache/hadoop

It's a large project that has lots of stuff in it: java, python, node.js, cmake, ... so it's been a great test bed as we write support for dependency check into Apache Yetus (https://github.com/apache/yetus), another ASF project that is focused on build and release tooling.

[aw-was-here]

I tested the patch on my machine and it is now showing the node.js vulnerabilities. Great!

[stevespringett]

@aw-was-here Good catch. Thanks for reporting. I've reviewed Jeremy's patch and it looks correct, so I think the next release should fix this issue.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.