[JIRA] (WTOOL-74) Introduce OWASP Dependency Check using dependency-check-maven plugin

[Stefan Seifert (JIRA)]

Stefan Seifert created WTOOL-74:
-----------------------------------

Summary: Introduce OWASP Dependency Check using dependency-check-maven plugin
Key: WTOOL-74
URL: https://wcm-io.atlassian.net/browse/WTOOL-74
Project: wcm.io Tooling
Issue Type: Task
Components: Maven
Reporter: Stefan Seifert
Priority: Minor


as proposed by [~accountid:557058:f5965e95-7a1a-4775-9001-be94a80bef00] we should introduce the [dependency-check-maven|https://jeremylong.github.io/DependencyCheck/dependency-check-maven/] plugin into our builds, ideally for all wcm.io modules.

it scans poth Maven and NPM dependencies and reports known vulnerabilities.



--
This message was sent by Atlassian Jira
(v1001.0.0-SNAPSHOT#100159)

[Stefan Seifert (JIRA)]

[ https://wcm-io.atlassian.net/browse/WTOOL-74?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21313#comment-21313 ]

Stefan Seifert commented on WTOOL-74:
-------------------------------------

[~accountid:557058:f5965e95-7a1a-4775-9001-be94a80bef00] this is a good idea and played around with it a bit in a [branch|https://github.com/wcm-io/wcm-io-tooling/tree/feature/WTOOL-74-dependency-check-maven], i have some detail questions about the best way to integrate it:

# the first run with it takes very long time, it seems a local database with signatures to check against is build up. further runs are much faster. how does this work out in CI builds e.g. in github actions? do we need to apply special caching rules to not delay every CI build by a long time?
# even when excluding provided and runtime scope we get lots of vulnerability reports about outdated sling, commons etc. dependencies we compile against (because we are compatible down to AEM 6.4), but which are never used at runtime with a properly set up AEM instance. do we have to exclude those all manually (it’s a [long list|https://wcm.io/tooling/maven/aem-dependencies.html]), do you have a recommendation?

> Introduce OWASP Dependency Check using dependency-check-maven plugin

> --------------------------------------------------------------------

[Konrad Windszus (JIRA)]

[ https://wcm-io.atlassian.net/browse/WTOOL-74?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21316#comment-21316 ]

Konrad Windszus commented on WTOOL-74:
--------------------------------------

# We only run those checks in CI builds (with dedicated Maven profiles). For GitHub actions you can leverage [https://docs.github.com/en/actions/guides/caching-dependencies-to-speed-up-workflows|https://docs.github.com/en/actions/guides/caching-dependencies-to-speed-up-workflows] as the database is stored in the Maven repository.
# As long as every dependency which is provided by AEM at runtime is referenced as “provided” this works fine. We use it in projects which import [https://github.com/wcm-io/wcm-io-tooling-aem-cloud-dependencies/blob/develop/pom.xml|https://github.com/wcm-io/wcm-io-tooling-aem-cloud-dependencies/blob/develop/pom.xml|smart-link] as well. Do you have some examples of dependencies being reported which are not embedded?

[Stefan Seifert (JIRA)]

[ https://wcm-io.atlassian.net/browse/WTOOL-74?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21317#comment-21317 ]

Stefan Seifert commented on WTOOL-74:
-------------------------------------

for 1: good point it’s stored in maven repo, than we should have the proper caching rules already in place

for 2: for example in [https://github.com/wcm-io/wcm-io-caconfig/tree/develop/editor/bundle|https://github.com/wcm-io/wcm-io-caconfig/tree/develop/editor/bundle|smart-link]

the point is, we have always some compile dependencies for 3rdparty bundles that ship with AEM that are not part of the uber JAR/aem-sdk JAR. defined those with compile scope this is not required for OSGi, but important for unit testing. if we would set those dependencies only to “provided” users that use those bundles in their projects would need to add the dependencies themselves with test scope for unit test involving those bundles. maybe the actual project listed above has some dependencies we can get rid off after raising the min. AEM version to 6.4, but still i assume there will be some leftovers we need to suppress manually as we only compile against them, but not actually ship them.

[Konrad Windszus (JIRA)]

[ https://wcm-io.atlassian.net/browse/WTOOL-74?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21318#comment-21318 ]

Konrad Windszus commented on WTOOL-74:
--------------------------------------

Transitive dependencies are indeed an issue with unit testing when using “provided” scope. I don’t have a better solution, though. I think none of the other dependency elements ([https://maven.apache.org/pom.html#Dependencies|https://maven.apache.org/pom.html#Dependencies|smart-link] ) can be leveraged to distinguish between dependencies which are embedded/internalized vs. dependencies which are referenced externally.

> Introduce OWASP Dependency Check using dependency-check-maven plugin
> --------------------------------------------------------------------
>
> Key: WTOOL-74
> URL: https://wcm-io.atlassian.net/browse/WTOOL-74
> Project: wcm.io Tooling
> Issue Type: Task
> Components: Maven
> Reporter: Stefan Seifert
> Priority: Minor
>
> as proposed by [~accountid:557058:f5965e95-7a1a-4775-9001-be94a80bef00] we should introduce the [dependency-check-maven|https://jeremylong.github.io/DependencyCheck/dependency-check-maven/] plugin into our builds, ideally for all wcm.io modules.
> it scans poth Maven and NPM dependencies and reports known vulnerabilities.



--
This message was sent by Atlassian Jira

(v1001.0.0-SNAPSHOT#100160)

[Konrad Windszus (JIRA)]

[ https://wcm-io.atlassian.net/browse/WTOOL-74?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21318#comment-21318 ]

Konrad Windszus edited comment on WTOOL-74 at 5/13/21 12:04 PM:
----------------------------------------------------------------

Transitive dependencies are indeed an issue with unit testing when using “provided” scope. I don’t have a better solution, though. I think none of the other dependency elements ([https://maven.apache.org/pom.html#Dependencies|https://maven.apache.org/pom.html#Dependencies|smart-link] ) can be leveraged to distinguish between dependencies which are embedded/internalized vs. dependencies which are referenced externally.

Still I would argue that {{ provided }} is semantically the right scope (although it is not transitive). The reference at [https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#dependency-scope|https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#dependency-scope|smart-link] talks about Servlet API which has a similar limitations when it comes to testing. That dependency also need to be explicitly referenced by consumer even if only used in transitive code of unit tests…

Maven is probably lacking a {{ provided }} scope which still is transitive\!


was (Author: kwin):

[Konrad Windszus (JIRA)]

[ https://wcm-io.atlassian.net/browse/WTOOL-74?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21318#comment-21318 ]

Konrad Windszus edited comment on WTOOL-74 at 5/13/21 12:07 PM:

----------------------------------------------------------------

Transitive dependencies are indeed an issue with unit testing when using “provided” scope. I don’t have a better solution, though. I think none of the other dependency elements ([https://maven.apache.org/pom.html#Dependencies|https://maven.apache.org/pom.html#Dependencies|smart-link] ) can be leveraged to distinguish between dependencies which are embedded/internalized vs. dependencies which are referenced externally.

Still I would argue that {{ provided }} is semantically the right scope (although it is not transitive). The reference at [https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#dependency-scope|https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#dependency-scope|smart-link] talks about Servlet API which has a similar limitations when it comes to testing. That dependency also need to be explicitly referenced by consumer even if only used in transitive code of unit tests…

Maven is probably lacking a {{ provided }} scope which still is transitive ([https://issues.apache.org/jira/browse/MNG-2205|https://issues.apache.org/jira/browse/MNG-2205])

[Stefan Seifert (JIRA)]

[ https://wcm-io.atlassian.net/browse/WTOOL-74?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21325#comment-21325 ]

Stefan Seifert commented on WTOOL-74:
-------------------------------------

i’ve introduces the plugin in general for all wcm.io modules (not enabled by default) in
[https://github.com/wcm-io/wcm-io-tooling/commit/306351ae7cb2ca0a5bb5da4747e08072174f2e4e|https://github.com/wcm-io/wcm-io-tooling/commit/306351ae7cb2ca0a5bb5da4747e08072174f2e4e|smart-link]

and activated it for the caconfig editor (after cleaning up it’s dependencies a bit):
[https://github.com/wcm-io/wcm-io-caconfig/commit/2b8ffd3a2db7159a1a53891ed3392517124ac073|https://github.com/wcm-io/wcm-io-caconfig/commit/2b8ffd3a2db7159a1a53891ed3392517124ac073|smart-link]

with this it’s easy to activate it for further modules later.

> Introduce OWASP Dependency Check using dependency-check-maven plugin
> --------------------------------------------------------------------
>
> Key: WTOOL-74
> URL: https://wcm-io.atlassian.net/browse/WTOOL-74
> Project: wcm.io Tooling
> Issue Type: Task
> Components: Maven
> Reporter: Stefan Seifert
> Priority: Minor
>
> as proposed by [~accountid:557058:f5965e95-7a1a-4775-9001-be94a80bef00] we should introduce the [dependency-check-maven|https://jeremylong.github.io/DependencyCheck/dependency-check-maven/] plugin into our builds, ideally for all wcm.io modules.
> it scans poth Maven and NPM dependencies and reports known vulnerabilities.



--
This message was sent by Atlassian Jira

(v1001.0.0-SNAPSHOT#100165)

[Stefan Seifert (JIRA)]

[ https://wcm-io.atlassian.net/browse/WTOOL-74?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Stefan Seifert closed WTOOL-74.
-------------------------------
Resolution: Fixed