error: org.owasp.dependencycheck.xml.pom.PomParseException for qdox:qdox:1.6.1:pom

[mbw...@gmail.com]

Hello,

I'm looking at running the maven dependency check plugin on an existing maven project.  However the plugin errors out with:

[ERROR] Failed to execute goal org.owasp:dependency-check-maven:1.4.5:check (default-cli) on project owasp-dependency-check-test: One or more exceptions occurred during dependency-check analysis: One or more exceptions occurred during dependency-check analysis

[ERROR] org.owasp.dependencycheck.xml.pom.PomParseException: org.owasp.dependencycheck.xml.pom.PomParseException: org.xml.sax.SAXParseException; lineNumber: 48; columnNumber: 33; The entity "oslash" was referenced, but not declared.

It doesn't like the this pom from this dependency:

            <groupId>qdox</groupId>

            <artifactId>qdox</artifactId>

            <version>1.6.1</version>

Because it has this:

      <name>Aslak Helles&oslash;y</name>

And I'm guessing that the XML parser doesn't like this because &oslash; is not valid XML (although it is supported in HTML)  Maven seems to be more forgiving and doesn't get upset with the bad XML during a normal build of the code, it seems like check the dependency-check-maven plugin is less forgiving.

Is there anyway to tell the plugin to completely ignore the dependency qdox:qdox:1.6.1:pom ?  Or some other way to get around this?  (the pom is from maven central so we don't really have the option to easily change the pom)

To reproduce you can just try to check this simple pom.

<?xml version="1.0" encoding="UTF-8"?>

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0. 0 http://maven.apache.org/maven-v4_0_0.xsd">

    <modelVersion>4.0.0</modelVersion>

    <groupId>org.github.mbw-ahc</groupId>

    <artifactId>owasp-dependency-check-test</artifactId>

    <packaging>jar</packaging>

    <version>1.0.0-SNAPSHOT</version>

    <dependencies>

        <dependency>

            <groupId>qdox</groupId>

            <artifactId>qdox</artifactId>

            <version>1.6.1</version>

        </dependency>

    </dependencies>

</project>

Then I ran

mvn org.owasp:dependency-check-maven:1.4.5:check

See output in output.txt attached

Maven version info:

Apache Maven 3.3.9 (bb52d8502b132ec0a5a3f4c09453c07478323dc5; 2015-11-10T11:41:47-05:00)

Maven home: D:\Programs\apache-maven-3.3.9

Java version: 1.8.0_112, vendor: Oracle Corporation

Java home: C:\Program Files\Java\jdk1.8.0_112\jre

Default locale: en_US, platform encoding: Cp1252

OS name: "windows 7", version: "6.1", arch: "amd64", family: "dos"

[Jeremy Long]

Thank you for the bug report. I have re-opened a defect ticket on github regarding this issue: https://github.com/jeremylong/DependencyCheck/issues/710

--Jeremy