DependencyCheck icon indicating copy to clipboard operation
DependencyCheck copied to clipboard

Published 20 hours ago verified publisher icon jeremylong

Enhancement: Add Dependency Tree

Open augustd opened this issue 10 years ago • 5 comments
trafficstars

From email with @stevespringett:

"I understand the whole dependency-of-dependency has a vulnerability situation… It’s all too common.

What might be a good solution for this is to use the following build scenario:

  • Use DC Maven plugin to perform a check
  • Use DC Jenkins plugin (publisher step only) to visualize results
  • Use maven-dependency-plugin to create a dependency tree

What would be nice is if either the Dependency-Check Maven or Jenkins plugin included the dependency tree as part of the result. As the author of the Jenkins plugin, I can say that I have not investigated this possibility, although I think it would be extremely valuable."

The output could be a tree of dependencies, each with the sum of the CVSS scores of any inherited vulnerabilities and links to the details (as in the present version). That would make it easy for the reviewer to target the nodes on the tree (which are dependencies) that introduce the most vulnerabilities and remediate those.

augustd avatar Mar 23 '15 20:03 augustd

The long term plan is to-do something along this line. This is one of the enhancements I've had planned for quite some time. Thanks for posting the enhancement request - I will see what I can do about prioritizing this.

--Jeremy

jeremylong avatar Mar 28 '15 10:03 jeremylong

I'm happy to contribute, if you can point me in the right direction.

I'm thinking:

  • DependencyGraphBuilder.buildDependencyGraph()
  • Recursively walk the resulting DependencyNode: //would this happen in BaseDependencyCheckMojo.scanArtifacts() ?
    • DependencyNode.getArtifact()
    • Engine.scan(artifact) // in this case does not need to return a list? because we already have the tree
  • Add Engine.scan results to a tree data structure instead of a List

Does that sound right? How does the pretty report actually get created?

augustd avatar Mar 31 '15 18:03 augustd

That would work for Maven... There is a CLI, Ant task, and Jenkins plugin also (and possibly a gradle plugin in the future)... I was originally considering something a bit more comprehensive utilizing JDepends or something along those lines. However, I'm not opposed to an interim enhancement to the Maven plugin while something is worked out more holistically for the other interfaces.

The reports are currently a collection of Velocity templates.

jeremylong avatar Apr 03 '15 09:04 jeremylong

@jeremylong @augustd any chance for a reboot of this issue? I would like to see for Maven

  • report: dependency tree (as text, with CVSS as suggested by @augustd):
    • tree branches for flagged dependencies (i.e. not the whole tree, just all the paths to the relevant dependencies)
    • the whole tree
  • resolution:
    • a maven plugin command for updating to the latest parent dependency for flagged dependencies (i.e. like the versions plugin)

There is a ton of whitespace (to the right) when viewing the report in full screen, so perhaps the tree branches for flagged dependencies could be visible by default.

If there was way to make a "fix" button on the report itself (with local file access), that would be golden.

skjolber avatar Jan 05 '24 11:01 skjolber

I played around with this: https://gist.github.com/jeremylong/ec5d496f64fc5bba6d47b2524a40ce3f

jeremylong avatar Jan 06 '24 11:01 jeremylong