Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] Adding pom version to projectinfo section of the dependency check report #665

Closed
Prakhash opened this issue Feb 20, 2017 · 8 comments
Closed

[Feature Request] Adding pom version to projectinfo section of the dependency check report #665

Prakhash opened this issue Feb 20, 2017 · 8 comments
Labels
enhancement

Comments

@Prakhash
Copy link
Contributor

Prakhash commented Feb 20, 2017
edited
Loading

Hi all,

I would like to request a new feature from the dependency check.

As shown below, Dependency check currently provides only the 3 options in the projectinfo, in addition to this, I wish to add the project version to the projectinfo section.

<projectInfo>
    <name>WSO2 Carbon - UI</name>
    <reportDate>2017-02-20T20:23:53.695+0530</reportDate>
    <credits>This report contains data retrieved from the National Vulnerability Database: http://nvd.nist.gov</credits>
</projectInfo>

Like this below :

 <projectInfo>
    <name>WSO2 Carbon - UI</name>
    <version>4.4.0</version>
    <reportDate>2017-02-20T20:23:53.695+0530</reportDate>
    <credits>This report contains data retrieved from the National Vulnerability Database: http://nvd.nist.gov</credits>
</projectInfo>

This is a really an essential requirement for people who are maintaining products with multiple versions and we create customized reports from the XML report generated by Dependency check. So it is not practical to always go and edit the bulk HTML reports

My Solution

For now, I have implemented this by forking the dependency check code by doing the following changes. If this an acceptable way of doing this, I can send a PR to you, or else please recommend a way to do this

  1. Introduced a new constructor as below in [1] with the applicationVersion included
  public ReportGenerator(String applicationName,String applicationVersion, List<Dependency> dependencies, List<Analyzer> analyzers, DatabaseProperties properties) {

      this(applicationName,dependencies,analyzers,properties);
      context.put("pomVersion",applicationVersion);
  }

  1. Changed the invoking maven method as below with the p.getVersion() attribute [2]

    final ReportGenerator r = new ReportGenerator(p.getName(),p.getVersion(), engine.getDependencies(), engine.getAnalyzers(), prop);

  2. Changed the schema as in [3]

  3. Changed the XmlReport.vsl as in [4]

[1] https://github.com/Prakhash/DependencyCheck/blob/master/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java#L128

[2] https://github.com/Prakhash/DependencyCheck/blob/master/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java#L1049

[3] https://github.com/Prakhash/DependencyCheck/blob/master/dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd

[4] https://github.com/Prakhash/DependencyCheck/blob/master/dependency-check-core/src/main/resources/templates/XmlReport.vsl

Regards,
Prakhash
@stevespringett
Copy link
Collaborator

I'll let Jeremy comment on the implementation, but I welcome the scheme change proposed, as it fits in nicely to what Dependency Track is doing.

However, the agent, CLI, Ant and Gradle plugins should all be updated to take advantage of the change.

@jeremylong
Copy link
Owner

This is something that could be used by any of the integrations that are truly baked into the build process; namely Maven, Gradle, and SBT. With each of these we would have the ability to grab the actual coordinates of the projects instead of just the version. What about instead of "version" we add the full coordinates?

@Prakhash
Copy link
Contributor Author

Prakhash commented Feb 27, 2017
edited
Loading

+1 for this idea. Any suggestions on what we need to include here (all the coordinates not needed I guess)? I can change my implementation which I did for "version" and send a PR.

@Prakhash
Copy link
Contributor Author

Prakhash commented Mar 6, 2017

Shall I implement this with project name, version, artifact ID and group ID ?

@jeremylong
Copy link
Owner

Sure, if you have time a PR to include this would be great. The one thing I'm wondering about though is with aggregate builds and the related dependencies section. Should the full GAV of the source be listed in each dependency object? Possibly even marked as direct vs. transitive?

Thoughts?

@Prakhash Prakhash mentioned this issue Mar 13, 2017
Merged
@jeremylong jeremylong mentioned this issue May 5, 2017
Closed
@jeremylong
Copy link
Owner

This update was added for Maven. However, we still need to update the gradle plugin.

@Prakhash
Copy link
Contributor Author

Prakhash commented May 6, 2017

Thanks Jeremy. I will start working on it as soon as possible

@lock
Copy link

lock bot commented Sep 27, 2018

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked and limited conversation to collaborators Sep 27, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jeremylong @stevespringett @Prakhash