OWASP依赖关系检查:将modelVersion版本添加到依赖关系检查报告

时间:2017-02-20 04:21:39

标签: maven maven-plugin owasp

我正在多模块项目中使用OWASP依赖项检查的Maven插件。

目前,依赖项检查提供的XML报告仅包含以下信息,其中不包含我们正在进行扫描的“组件”版本。

是否有任何方法可以将其包含在我们生成的报告中。 (在这种情况下,它将是parent.version)

<projectInfo>
        <name>Component</name>
        <reportDate>2017-02-17T15:57:38.041+0530</reportDate>
        <credits>This report contains data retrieved from the National Vulnerability Database: http://nvd.nist.gov</credits>
    </projectInfo>

在此处添加pom.xml文件

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">

    <parent>
        <groupId>org.comp.carb</groupId>
        <artifactId>carb-parent</artifactId>
        <version>4.4.12</version>
        <relativePath>../parent/pom.xml</relativePath>
    </parent>

    <modelVersion>4.0.0</modelVersion>
    <artifactId>carb-kernel</artifactId>
    <packaging>pom</packaging>
    <name>comp carb - Parent Maven Project</name>
    <description>carb-parent</description>
    <url>http://comp.org</url>

    <licenses>
        <license>
            <name>Apache License Version 2.0</name>
            <url>http://www.apache.org/licenses/LICENSE-2.0</url>
        </license>
    </licenses>

    <organization>
        <name>comp Inc</name>
        <url>http://comp.com</url>
    </organization>

    <issueManagement>
        <system>JIRA</system>
        <url>https://comp.org/jira/browse/carb</url>
    </issueManagement>

    <mailingLists>
        <mailingList>
            <name>comp carb Developers' List</name>
            <post>mailto:carb-dev@comp.org</post>
            <archive>http://www.comp.org/mailarchive/carb-dev/</archive>
            <subscribe>mailto:carb-dev-request@comp.org?subject=subscribe</subscribe>
            <unsubscribe>mailto:carb-dev-request@comp.org?subject=unsubscribe</unsubscribe>
        </mailingList>
        <mailingList>
            <name>comp Architecture List</name>
            <post>mailto:architecture@comp.org</post>
            <archive>http://comp.org/mailarchive/architecture/</archive>
            <subscribe>mailto:architecture-request@comp.org?subject=subscribe</subscribe>
            <unsubscribe>mailto:architecture-request@comp.org?subject=unsubscribe</unsubscribe>
        </mailingList>
    </mailingLists>


    <build>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-compiler-plugin</artifactId>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-surefire-plugin</artifactId>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-resources-plugin</artifactId>
            </plugin>
            <plugin>
                <groupId>org.apache.felix</groupId>
                <artifactId>maven-scr-plugin</artifactId>
            </plugin>
            <plugin>
                <groupId>org.owasp</groupId>
                <artifactId>dependency-check-maven</artifactId>
                <version>1.4.4.1</version>
                <executions>
                    <execution>
                        <phase>test</phase>
                        <goals>
                            <goal>check</goal>
                        </goals>
                    </execution>
                </executions>
                <configuration>
                    <!-- UNCOMMENT BELOW TAG TO FAILD BUILD ON HIGH+ ISSUE -->
                    <!-- <failBuildOnCVSS>7</failBuildOnCVSS> -->
                    <format>ALL</format>
                    <outputDirectory>${project.build.directory}/security</outputDirectory>
                    <suppressionFile>/home/prakhash/Downloads/MavenBasedSecurityAutomation/carb-kernel/core/org.comp.carb.ui/supress.xml</suppressionFile>
                    <hintsFile>https://raw.githubusercontent.com/ayomawdb/dependencycheck-rules-test/master/global-dependencycheck-hints.xml</hintsFile>
                </configuration>
            </plugin>
            <plugin>
                <groupId>org.codehaus.mojo</groupId>
                <artifactId>xml-maven-plugin</artifactId>
                <version>1.0.1</version>
                <executions>
                    <execution>
                        <phase>package</phase>
                        <goals>
                            <goal>transform</goal>
                        </goals>
                    </execution>
                </executions>
                <configuration>
                    <transformationSets>
                        <transformationSet>
                            <dir>${project.build.directory}/security</dir>
                            <outputDir>${project.build.directory}/security</outputDir>
                            <stylesheet>/home/prakhash/compProducts/DependencyCheck/dependency.xsl</stylesheet>
                             <parameters>
                                <parameter>
                                  <name>MyParam</name>
                                  <value>test</value>
                                </parameter>
                              </parameters>
                            <includes>dependency-check-report.xml</includes>
                            <fileMappers>
                                <fileMapper implementation="org.codehaus.plexus.components.io.filemappers.FileExtensionMapper">
                                    <targetExtension>.html</targetExtension>
                                </fileMapper>
                            </fileMappers>
                        </transformationSet>
                    </transformationSets>
                </configuration>
            </plugin>
        </plugins>
        <testResources>
            <testResource>
                <directory>
                    ${basedir}/../../distribution/kernel/carb-home/lib/core/WEB-INF/classes/
                </directory>
                <includes>
                    <include>log4j.properties</include>
                </includes>
            </testResource>
            <testResource>
                <directory>src/main/java</directory>
                <includes>
                    <include>**/*.xml</include>
                </includes>
            </testResource>
            <testResource>
                <directory>src/test/resources</directory>
                <includes>
                    <include>**/*.xml</include>
                    <include>**/*.properties</include>
                </includes>
            </testResource>
        </testResources>
    </build>

    <modules>
        <module>javax.cache</module>
        <module>org.comp.carb.tomcat</module>
        <module>org.comp.carb.tomcat.ext</module>
        <module>org.comp.carb.registry.api</module>
    </modules>
</project>

1 个答案:

答案 0 :(得分:1)

我检查了dependency-check-maven的源代码,遗憾的是没有组件版本信息。请参阅source code

中的以下xsd片段
  <xs:element name="projectInfo">
        <xs:complexType>
             <xs:sequence>
               <xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
               <xs:element name="reportDate" type="xs:string" minOccurs="1" maxOccurs="1" />
               <xs:element name="credits" type="xs:string" minOccurs="1" maxOccurs="1" />
            </xs:sequence>
        </xs:complexType>
  </xs:element>

虽然在生成mvn站点时,它具有组件版本的完整上下文。从逻辑上讲,这是您在生成报告时实际执行的操作。 XML报告不适合人类消费。

如果您认为这是对您有效的要求,则可以提出增强请求。