DependencyCheck icon indicating copy to clipboard operation
DependencyCheck copied to clipboard

Published 20 hours ago verified publisher icon jeremylong

Add Dependency Source

Open jeremylong opened this issue 2 years ago • 6 comments
trafficstars

Currently, ODC primarily tracks the file path of the dependency - not necessarily the "source". If scanning a pom.xml we do not provide the path to the pom. We do list the project/scope - but that doesn't necessarily get back to the specific pom.xml. This can cause confusion when trying to generate reports - see #5920.

jeremylong avatar Oct 14 '23 11:10 jeremylong

May I try to do this? Last year, I worked on a project that utilized the dependencycheck. At that time, in order to support Maven and Gradle source code, I added some logic to retrieve dependency information by executing the "mvn dependency:tree" and "gradle dependencies -b %s --configuration runtimeClasspath" commands. I combined this information with dependencycheck to analyze vulnerabilities in the dependencies. However, the results were not very satisfactory because this implementation relied too much on the network, resulting in slow and unreliable execution.

Therefore, I later wanted to improve this implementation by parsing the pom.xml file instead of executing commands to retrieve dependencies.

This year, I have been working on a low-code project and haven't continued with last year's project. However, upon seeing this requirement, I think I can give it a try.

ytzzh0726 avatar Oct 18 '23 15:10 ytzzh0726

Sorry for the delay - if you want to give this a try please do! We love PRs.

jeremylong avatar Oct 20 '23 18:10 jeremylong

OK,I'll do it this week.

regedit0726 avatar Oct 24 '23 01:10 regedit0726

While the PR may have some merit. The intent of this was to complete something like this:

https://github.com/jeremylong/DependencyCheck/compare/scratch/add-source

Where we would need to call dependency. addSourceReferences(source) everywhere a new dependency was generated from a package manager. Pypi, nuget, lock files, maven, etc. We do not always reflect the source of the dependency - especially in the Java ecosystem where this is likely the most useful.

jeremylong avatar Nov 13 '23 11:11 jeremylong

So I need to add the path of parent pom to a dependency,but the sourceReferences of parent should not be added to the dependency,right?

regedit0726 avatar Nov 16 '23 00:11 regedit0726

if we have a JAR file that was included because of the pom - we should put the pom in the sourceReference. While it would be great if we could figure out the exact line and in which pom (i.e. did it come from a parent pom) - for now we can just indicate that the source was the pom.xml that was being directly analyzed.

jeremylong avatar Nov 16 '23 11:11 jeremylong