Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Respect <skipProvidedScope> for <scanPlugins> #5825

Open
Marcono1234 opened this issue Jul 12, 2023 · 1 comment
Open

Respect <skipProvidedScope> for <scanPlugins> #5825

Marcono1234 opened this issue Jul 12, 2023 · 1 comment
Labels
enhancement

Comments

@Marcono1234
Copy link
Contributor

Marcono1234 commented Jul 12, 2023
edited
Loading

Is your feature request related to a problem? Please describe.
#5001 added support for scanning Maven plugins. However, as pointed out in jeremylong/DependencyCheck#4035 (comment) Dependency Check currently considers all dependencies of plugins, including provided ones which are actually provided by the Maven installation and are therefore mostly irrelevant for checking vulnerabilities.

This renders the <scanPlugins> feature a bit useless because plugins often try to support old Maven versions (and therefore potentially vulnerable old provided dependencies) which leads to false positives.

Describe the solution you'd like
Either:

  • <scanPlugins> should respect the existing <skipProvidedScope> option (and possibly other options as well?)
  • or there should be a new dedicated option to exclude provided dependencies of plugins
  • or Dependency Check should ignore provided dependencies of plugins by default

Describe alternatives you've considered
See bullet points above

Additional context
Even though as mentioned in jeremylong/DependencyCheck#4035 (comment) the Maven Dependency Plugin currently behaves the same way (which might also be a bug there), Dependency Check does not necessarily have to stick to that behavior (unless there are of course technical limitations) because the use case for Dependency Check is quite different.

Reproduction steps

  1. Create a pom.xml with the following content 
    <project xmlns="http://maven.apache.org/POM/4.0.0"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>com.mycompany.app</groupId>
    <artifactId>my-app</artifactId>
    <version>1.0.0-SNAPSHOT</version>
    <packaging>pom</packaging>

    <build>
        <plugins>
            <plugin>
                <groupId>org.owasp</groupId>
                <artifactId>dependency-check-maven</artifactId>
                <version>8.3.1</version>
                <executions>
                    <execution>
                        <goals>
                            <goal>check</goal>
                        </goals>
                        <configuration>
                            <scanDependencies>false</scanDependencies>
                            <scanPlugins>true</scanPlugins>
                            <skipProvidedScope>true</skipProvidedScope>
                        </configuration>
                    </execution>
                </executions>
            </plugin>
        </plugins>
    </build>
</project>
  2. Run mvn verify
    ❌ Issue: It shows a lot of vulnerabilities, including for example multiple for maven-core-3.1.0.jar, even though that is a provided dependency
@slawekjaranowski
Copy link

I'm for

Dependency Check should ignore provided dependencies of plugins by default

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@slawekjaranowski @Marcono1234