Maven multi project build and check goal
21 views
Skip to first unread message
Tamás Cservenák
Nov 22, 2017, 6:58:17 AM11/22/17
to dependen...@googlegroups.com
Howdy,
re org.owasp:dependency-check-maven:3.0.2:check Maven plugin invocation...
My project has layout like this:
- parent
- module A
- ...
- assemblies
- distro/assembly pulling in module A among other deps
The above invocation reports in module
- A: "all fine" (no vulns)
- distro: that module A is vulnerable
Remarks:
- A is obviously false identified (see below)
- due to false identifications, A reported as vulnerable
Proposal:
IMHO, the distro dependency A, that is in-reactor module, should be left out from analysis.
I have not created a reproducer, but I think one can craft easily one (as I see, it depends very much on module A, B and C names / artifactId. Using name like "elasticsearch" for A, with project version 1.0 should do it -> causes to identify A module in distro as "elasticsearch-1.0" and it IS vulnerable).
Here is an example (anonymized, not open project yet) output from my project:
elasticsearch-1.0.0-SNAPSHOT.jar (cpe:/a:id:id-software:1.0.0, cpe:/a:elasticsearch:elasticsearch:1.0.0, XXXXX:elasticsearch:1.0.0-SNAPSHOT) : CVE-2014-3120, CVE-2015-1427, CVE-2015-5531, CVE-2014-6439, CVE-2015-3337
As I see, due to module name (artifactId) it matches it with CPEs, and then finds problems. But IMHO, the module (in-reactor) should not be matched at all, as it is just being built, as part of reactor.
Am I missing something here?
Thanks,
Tamas
--
Thanks,
~t~
Jeremy Long
Nov 22, 2017, 7:05:52 AM11/22/17
to Tamás Cservenák, dependen...@googlegroups.com
I disagree that modules in the reactor should be left out. I know of many cases where a team may have taken the source of a FOSS library and just included it in their build. Most of the time this is due to a minor change in the FOSS code or sometimes they just prefer to bring their own binaries.
It is easy enough to create a suppression file for this - to mark you internal library/dependency as a FP that needs to be suppressed.
--Jeremy
----Thanks,~t~
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-check+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages