syft
syft copied to clipboard
Published
20 hours ago •
anchore
anchore
Empty version field on some dependencies when reading pom.xml
What happened: Syft does not detect the current version of some dependencies when scanning a maven project.
What you expected to happen: Syft shows the current version of every package listed on pom.xml when scanning a maven project.
How to reproduce it (as minimally and precisely as possible):
On a maven project with some dependencies run syft dir:.. The output of the command is the following:
✔ Indexed .
✔ Cataloged packages [31 packages]
NAME VERSION TYPE
commons-codec 20041127.091804 java-archive
commons-io 2.7 java-archive
commons-validator 1.7 java-archive
gson 2.8.9 java-archive
h2 2.1.212 java-archive
joda-time 2.10.14 java-archive
json 20220320 java-archive
junit-jupiter-api java-archive
junit-jupiter-engine java-archive
kafka-clients 6.2.0-ccs java-archive
kafka-streams 6.2.0-ccs java-archive
kafka-streams-test-utils 6.2.0-ccs java-archive
kotlin-maven-allopen ${kotlin.version} java-archive
maven-wrapper 0.5.5 java-archive
micrometer-registry-prometheus ${micrometer.version} java-archive
mockk ${io.mockk.version} java-archive
opentracing-kafka-spring 0.1.15 java-archive
opentracing-kafka-streams 0.1.15 java-archive
opentracing-mock 0.33.0 java-archive
opentracing-spring-cloud-starter 0.5.9 java-archive
opentracing-spring-jaeger-cloud-starter 3.3.1 java-archive
spring-boot-starter-actuator java-archive
spring-boot-starter-aop java-archive
spring-boot-starter-data-jpa java-archive
spring-boot-starter-data-mongodb java-archive
spring-boot-starter-security java-archive
spring-boot-starter-test java-archive
spring-boot-starter-web java-archive
spring-kafka 2.8.5 java-archive
spring-security-test java-archive
Anything else we need to know?:
I also tried running syft dir:. -o json to check if the issue was with one specific report format. The version field on some dependencies is also empty (example below).
{
"id": "9e8b166654978e40",
"name": "spring-boot-starter-test",
"version": "",
"type": "java-archive",
"foundBy": "java-pom-cataloger",
"locations": [
{
"path": "pom.xml"
}
],
"licenses": [],
"language": "java",
"cpes": [
"cpe:2.3:a:spring-boot-starter-test:spring-boot-starter-test:*:*:*:*:*:*:*:*",
"cpe:2.3:a:spring-boot-starter-test:spring_boot_starter_test:*:*:*:*:*:*:*:*",
"cpe:2.3:a:spring_boot_starter_test:spring-boot-starter-test:*:*:*:*:*:*:*:*",
"cpe:2.3:a:spring_boot_starter_test:spring_boot_starter_test:*:*:*:*:*:*:*:*",
"cpe:2.3:a:spring-boot-starter:spring-boot-starter-test:*:*:*:*:*:*:*:*",
"cpe:2.3:a:spring-boot-starter:spring_boot_starter_test:*:*:*:*:*:*:*:*",
"cpe:2.3:a:spring_boot_starter:spring-boot-starter-test:*:*:*:*:*:*:*:*",
"cpe:2.3:a:spring_boot_starter:spring_boot_starter_test:*:*:*:*:*:*:*:*",
"cpe:2.3:a:spring-boot:spring-boot-starter-test:*:*:*:*:*:*:*:*",
"cpe:2.3:a:spring-boot:spring_boot_starter_test:*:*:*:*:*:*:*:*",
"cpe:2.3:a:spring_boot:spring-boot-starter-test:*:*:*:*:*:*:*:*",
"cpe:2.3:a:spring_boot:spring_boot_starter_test:*:*:*:*:*:*:*:*",
"cpe:2.3:a:spring:spring-boot-starter-test:*:*:*:*:*:*:*:*",
"cpe:2.3:a:spring:spring_boot_starter_test:*:*:*:*:*:*:*:*"
],
"purl": "pkg:maven/org.springframework.boot/spring-boot-starter-test",
"metadataType": "JavaMetadata",
"metadata": {
"virtualPath": ""
}
}
Environment:
- Output of
syft version:Application: syft Version: 0.52.0 JsonSchemaVersion: 3.3.1 BuildDate: 2022-07-21T13:50:51Z GitCommit: ba9adb17ebb510a2a3bd2b641738b1d9235e1f3e GitDescription: v0.52.0 Platform: linux/amd64 GoVersion: go1.18.3 Compiler: gc - OS (e.g:
cat /etc/os-releaseor similar): Tested on Ubuntu 20.04.4 LTS using WSL on top of Windows 11
Related to the same issue we see that versions provided as parameter in the pom.xml are not evaluated.
For example we see results like:
syft dir:.
✔ Indexed .
✔ Cataloged packages [21 packages]
NAME VERSION TYPE
axios ${webjars-axios.version} java-archive
bootstrap ${webjars-bootstrap.version} java-archive
d3-cloud ${webjars-d3cloud.version} java-archive
h2 java-archive
jquery ${webjars-jquery.version} java-archive
kuromoji-ipadic ${kuromoji.version} java-archive
maven-wrapper 3.1.0 java-archive
p6spy ${p6spy.version} java-archive
postgresql java-archive
spring-boot-starter-data-jpa java-archive
spring-boot-starter-oauth2-client java-archive
spring-boot-starter-security java-archive
spring-boot-starter-test java-archive
spring-boot-starter-thymeleaf java-archive
spring-boot-starter-web java-archive
spring-cloud-starter-sleuth java-archive
spring-security-test java-archive
thymeleaf-extras-springsecurity5 java-archive
twitter-api-java-sdk ${twitter.sdk.version} java-archive
wavefront-spring-boot-starter java-archive
webjars-locator-core java-archive
while in pom.xml the version for parameterized components are provided:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.7.2</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>jp.vmware.tanzu</groupId>
<artifactId>twitter-wordcloud-demo</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>twitter-wordcloud-demo</name>
<description>twitter-wordcloud-demo</description>
<properties>
<java.version>11</java.version>
<spring-cloud.version>2021.0.3</spring-cloud.version>
<wavefront.version>2.3.0</wavefront.version>
<p6spy.version>3.9.1</p6spy.version>
<twitter.sdk.version>2.0.2</twitter.sdk.version>
<kuromoji.version>0.9.0</kuromoji.version>
<!-- Web dependencies -->
<webjars-bootstrap.version>5.2.0</webjars-bootstrap.version>
<webjars-jquery.version>3.6.0</webjars-jquery.version>
<webjars-d3js.version>7.6.1</webjars-d3js.version>
<webjars-d3cloud.version>1.2.5</webjars-d3cloud.version>
<webjars-axios.version>0.27.2</webjars-axios.version>
</properties>
...
...
I attempted to reproduce this without luck from the portion, can you provide the full pom.xml?
Hi @wagoodman :wave:, thank you for showing interest on this issue.
Further investigation leaded to some findings. As @bsoroushian mentioned, parametrized versions are not evaluated when grype reads pom.xml. Other packages that dont carry a version tag in the generated pom.xml are also problematic as syft shows version field as an empty string.
This syft execution shows both problems
$ syft packages file:pom.xml
✔ Indexed pom.xml
✔ Cataloged packages [33 packages]
NAME VERSION TYPE
commons-codec 1.14 java-archive
commons-io 2.7 java-archive
easy-random-core ${easy-random-core.version} java-archive
easy-random-randomizers ${easy-random-core.version} java-archive
gson 2.8.9 java-archive
guava 31.1-jre java-archive
h2 2.1.214 java-archive
jackson-module-kotlin 2.13.3 java-archive
joda-time 2.10.14 java-archive
json 20220320 java-archive
junit-jupiter-api java-archive
junit-jupiter-engine java-archive
kafka-clients 6.2.0-ccs java-archive
kafka-json-serializer 6.2.0 java-archive
kafka-streams 6.2.0-ccs java-archive
kafka-streams-test-utils 6.2.0-ccs java-archive
kotlin-maven-allopen ${kotlin.version} java-archive
kotlin-reflect ${kotlin.version} java-archive
kotlin-stdlib ${kotlin.version} java-archive
micrometer-registry-prometheus ${micrometer.version} java-archive
mockk ${io.mockk.version} java-archive
opentracing-spring-cloud-starter 0.5.9 java-archive
opentracing-spring-jaeger-cloud-starter 3.3.1 java-archive
spring-boot-starter-actuator java-archive
spring-boot-starter-data-jpa java-archive
spring-boot-starter-data-mongodb java-archive
spring-boot-starter-security java-archive
spring-boot-starter-test java-archive
spring-boot-starter-web java-archive
spring-cloud-starter-openfeign java-archive
spring-security-test java-archive
springdoc-openapi-kotlin ${springdoc-openapi.version} java-archive
springdoc-openapi-ui ${springdoc-openapi.version} java-archive
the output shown avobe was created scanning the following pom.xml
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.org.services</groupId>
<artifactId>product-name</artifactId>
<version>1.0.0</version>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.7.2</version>
<relativePath/>
</parent>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<spring.framework.version>5.3.1.RELEASE</spring.framework.version>
<java.version>11</java.version>
<sonar.coverage.exclusions>
**/configuration/**/*,
**/exception/**/*,
**/model/**/*,
**/ConstantsUtils.kt,
**/Application.kt,
</sonar.coverage.exclusions>
<sonar.java.coveragePlugin>jacoco</sonar.java.coveragePlugin>
<sonar.dynamicAnalysis>reuseReports</sonar.dynamicAnalysis>
<sonar.jacoco.reportPaths>${basedir}/target/jacoco.exec</sonar.jacoco.reportPaths>
<sonar.language>kotlin</sonar.language>
<jacoco.version>0.8.7</jacoco.version>
<springdoc-openapi.version>1.6.9</springdoc-openapi.version>
<micrometer.version>1.9.3</micrometer.version>
<kotlin.version>1.7.10</kotlin.version>
<io.mockk.version>1.10.3</io.mockk.version>
<kotlin.compiler.incremental>true</kotlin.compiler.incremental>
<dokka.version>1.6.21</dokka.version>
<openfeign.version>3.0.6</openfeign.version>
<openfeign.core.version>2.2.6.RELEASE</openfeign.core.version>
<easy-random-core.version>5.0.0</easy-random-core.version>
</properties>
<repositories>
<repository>
<id>confluent</id>
<url>https://packages.confluent.io/maven/</url>
</repository>
</repositories>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>2021.0.3</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-mongodb</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springdoc</groupId>
<artifactId>springdoc-openapi-ui</artifactId>
<version>${springdoc-openapi.version}</version>
</dependency>
<dependency>
<groupId>org.springdoc</groupId>
<artifactId>springdoc-openapi-kotlin</artifactId>
<version>${springdoc-openapi.version}</version>
</dependency>
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>31.1-jre</version>
</dependency>
<dependency>
<groupId>io.micrometer</groupId>
<artifactId>micrometer-registry-prometheus</artifactId>
<version>${micrometer.version}</version>
</dependency>
<dependency>
<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
<version>2.1.214</version>
</dependency>
<dependency>
<groupId>commons-codec</groupId>
<artifactId>commons-codec</artifactId>
<version>1.14</version>
</dependency>
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.7</version>
</dependency>
<dependency>
<groupId>org.json</groupId>
<artifactId>json</artifactId>
<version>20220320</version>
</dependency>
<dependency>
<groupId>joda-time</groupId>
<artifactId>joda-time</artifactId>
<version>2.10.14</version>
</dependency>
<dependency>
<groupId>com.google.code.gson</groupId>
<artifactId>gson</artifactId>
<version>2.8.9</version>
</dependency>
<dependency>
<groupId>org.jetbrains.kotlin</groupId>
<artifactId>kotlin-stdlib</artifactId>
<version>${kotlin.version}</version>
</dependency>
<dependency>
<groupId>org.jetbrains.kotlin</groupId>
<artifactId>kotlin-reflect</artifactId>
<version>${kotlin.version}</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.module</groupId>
<artifactId>jackson-module-kotlin</artifactId>
<version>2.13.3</version>
</dependency>
<dependency>
<groupId>org.jetbrains.kotlin</groupId>
<artifactId>kotlin-maven-allopen</artifactId>
<version>${kotlin.version}</version>
</dependency>
<dependency>
<groupId>io.mockk</groupId>
<artifactId>mockk</artifactId>
<version>${io.mockk.version}</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter-engine</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter-api</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.apache.kafka</groupId>
<artifactId>kafka-streams</artifactId>
<version>6.2.0-ccs</version>
</dependency>
<dependency>
<groupId>org.apache.kafka</groupId>
<artifactId>kafka-clients</artifactId>
<version>6.2.0-ccs</version>
</dependency>
<dependency>
<groupId>io.confluent</groupId>
<artifactId>kafka-json-serializer</artifactId>
<version>6.2.0</version>
</dependency>
<dependency>
<groupId>org.apache.kafka</groupId>
<artifactId>kafka-streams-test-utils</artifactId>
<version>6.2.0-ccs</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>io.opentracing.contrib</groupId>
<artifactId>opentracing-spring-cloud-starter</artifactId>
<version>0.5.9</version>
</dependency>
<dependency>
<groupId>io.opentracing.contrib</groupId>
<artifactId>opentracing-spring-jaeger-cloud-starter</artifactId>
<version>3.3.1</version>
</dependency>
<!-- Feign dependencies -->
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-openfeign</artifactId>
<!--<version>${openfeign.version}</version>-->
</dependency>
<!-- Easy random dependencies -->
<dependency>
<groupId>org.jeasy</groupId>
<artifactId>easy-random-core</artifactId>
<version>${easy-random-core.version}</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.jeasy</groupId>
<artifactId>easy-random-randomizers</artifactId>
<version>${easy-random-core.version}</version>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<sourceDirectory>${project.basedir}/src/main/kotlin</sourceDirectory>
<testSourceDirectory>${project.basedir}/src/test/kotlin</testSourceDirectory>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
<plugin>
<groupId>org.sonarsource.scanner.maven</groupId>
<artifactId>sonar-maven-plugin</artifactId>
<version>3.6.0.1398</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>2.22.2</version>
<configuration>
<skipTests>false</skipTests>
<testFailureIgnore>true</testFailureIgnore>
<forkMode>once</forkMode>
</configuration>
</plugin>
<plugin>
<groupId>org.jacoco</groupId>
<artifactId>jacoco-maven-plugin</artifactId>
<version>${jacoco.version}</version>
<executions>
<execution>
<id>default-prepare-agent</id>
<goals>
<goal>prepare-agent</goal>
</goals>
</execution>
<execution>
<id>default-report</id>
<phase>test</phase>
<goals>
<goal>report</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<artifactId>kotlin-maven-plugin</artifactId>
<groupId>org.jetbrains.kotlin</groupId>
<version>${kotlin.version}</version>
<configuration>
<compilerPlugins>
<plugin>spring</plugin>
</compilerPlugins>
<jvmTarget>11</jvmTarget>
<languageVersion>1.5</languageVersion>
</configuration>
<executions>
<execution>
<id>compile</id>
<phase>compile</phase>
<goals>
<goal>compile</goal>
</goals>
</execution>
<execution>
<id>test-compile</id>
<phase>test-compile</phase>
<goals>
<goal>test-compile</goal>
</goals>
</execution>
</executions>
<dependencies>
<dependency>
<groupId>org.jetbrains.kotlin</groupId>
<artifactId>kotlin-maven-allopen</artifactId>
<version>${kotlin.version}</version>
</dependency>
</dependencies>
</plugin>
</plugins>
</build>
</project>
Related to this, Syft generates a malformed "purl" which does not parse as a URI. I believe the dollar sign in these version strings are not being uri/percent-encoded when generating the "purl" string.
Hi team, any update on this? I am getting empty version numbers for all my pom.xml dependencies (even the ones specifying a version number directly.
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.7.1</version>
</parent>
<groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat</artifactId>
<version>2023.3</version>
<packaging>jar</packaging>
<name>WebGoat</name>
<description>WebGoat, a deliberately insecure Web Application</description>
<url>https://github.com/WebGoat/WebGoat</url>
<inceptionYear>2006</inceptionYear>
<organization>
<name>OWASP</name>
<url>https://github.com/WebGoat/WebGoat/</url>
</organization>
<licenses>
<license>
<name>GNU General Public License, version 2</name>
<url>https://www.gnu.org/licenses/gpl-2.0.txt</url>
</license>
</licenses>
<developers>
<developer>
<id>mayhew64</id>
<name>Bruce Mayhew</name>
<email>[email protected]</email>
<organization>OWASP</organization>
<organizationUrl>https://github.com/WebGoat/WebGoat</organizationUrl>
</developer>
<developer>
<id>nbaars</id>
<name>Nanne Baars</name>
<email>[email protected]</email>
<organizationUrl>https://github.com/nbaars</organizationUrl>
<timezone>Europe/Amsterdam</timezone>
</developer>
<developer>
<id>misfir3</id>
<name>Jason White</name>
<email>[email protected]</email>
</developer>
<developer>
<id>zubcevic</id>
<name>René Zubcevic</name>
<email>[email protected]</email>
</developer>
<developer>
<id>aolle</id>
<name>Àngel Ollé Blázquez</name>
<email>[email protected]</email>
</developer>
<developer>
<id>jwayman</id>
<name>Jeff Wayman</name>
<email></email>
</developer>
<developer>
<id>dcowden</id>
<name>Dave Cowden</name>
<email></email>
</developer>
<developer>
<id>lawson89</id>
<name>Richard Lawson</name>
<email></email>
</developer>
<developer>
<id>dougmorato</id>
<name>Doug Morato</name>
<email>[email protected]</email>
<organization>OWASP</organization>
<organizationUrl>https://github.com/dougmorato</organizationUrl>
<timezone>America/New_York</timezone>
<properties>
<picUrl>https://avatars2.githubusercontent.com/u/9654?v=3&s=150</picUrl>
</properties>
</developer>
</developers>
<mailingLists>
<mailingList>
<name>OWASP WebGoat Mailing List</name>
<subscribe>https://lists.owasp.org/mailman/listinfo/owasp-webgoat</subscribe>
<unsubscribe>[email protected]</unsubscribe>
<post>[email protected]</post>
<archive>http://lists.owasp.org/pipermail/owasp-webgoat/</archive>
</mailingList>
</mailingLists>
<scm>
<connection>scm:git:[email protected]:WebGoat/WebGoat.git</connection>
<developerConnection>scm:git:[email protected]:WebGoat/WebGoat.git</developerConnection>
<tag>HEAD</tag>
<url>https://github.com/WebGoat/WebGoat</url>
</scm>
<issueManagement>
<system>Github Issues</system>
<url>https://github.com/WebGoat/WebGoat/issues</url>
</issueManagement>
<properties>
<!-- Shared properties with plugins and version numbers across submodules-->
<asciidoctorj.version>2.5.3</asciidoctorj.version>
<bootstrap.version>3.3.7</bootstrap.version>
<cglib.version>2.2</cglib.version>
<!-- do not update necessary for lesson -->
<checkstyle.version>3.1.2</checkstyle.version>
<commons-collections.version>3.2.1</commons-collections.version>
<commons-io.version>2.6</commons-io.version>
<commons-lang3.version>3.12.0</commons-lang3.version>
<commons-text.version>1.9</commons-text.version>
<guava.version>30.1-jre</guava.version>
<java.version>17</java.version>
<jjwt.version>0.9.1</jjwt.version>
<jose4j.version>0.7.6</jose4j.version>
<jquery.version>3.5.1</jquery.version>
<jsoup.version>1.14.3</jsoup.version>
<maven-compiler-plugin.version>3.8.0</maven-compiler-plugin.version>
<maven-failsafe-plugin.version>2.22.0</maven-failsafe-plugin.version>
<maven-jar-plugin.version>3.1.2</maven-jar-plugin.version>
<maven-javadoc-plugin.version>3.1.1</maven-javadoc-plugin.version>
<maven-source-plugin.version>3.1.0</maven-source-plugin.version>
<maven-surefire-plugin.version>3.0.0-M5</maven-surefire-plugin.version>
<maven.compiler.source>17</maven.compiler.source>
<maven.compiler.target>17</maven.compiler.target>
<pmd.version>3.15.0</pmd.version>
<!-- Use UTF-8 Encoding -->
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<thymeleaf.version>3.0.15.RELEASE</thymeleaf.version>
<webdriver.version>4.3.1</webdriver.version>
<webgoat.port>8080</webgoat.port>
<webwolf.port>9090</webwolf.port>
<wiremock.version>2.27.2</wiremock.version>
<xml-resolver.version>1.2</xml-resolver.version>
<xstream.version>1.4.5</xstream.version>
<!-- do not update necessary for lesson -->
<zxcvbn.version>1.5.2</zxcvbn.version>
</properties>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.ow2.asm</groupId>
<artifactId>asm</artifactId>
<version>9.1</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-exec</artifactId>
<version>1.3</version>
</dependency>
<dependency>
<groupId>org.asciidoctor</groupId>
<artifactId>asciidoctorj</artifactId>
<version>${asciidoctorj.version}</version>
</dependency>
<dependency>
<!-- jsoup HTML parser library @ https://jsoup.org/ -->
<groupId>org.jsoup</groupId>
<artifactId>jsoup</artifactId>
<version>${jsoup.version}</version>
</dependency>
<dependency>
<groupId>com.nulab-inc</groupId>
<artifactId>zxcvbn</artifactId>
<version>${zxcvbn.version}</version>
</dependency>
<dependency>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream</artifactId>
<version>${xstream.version}</version>
</dependency>
<dependency>
<groupId>cglib</groupId>
<artifactId>cglib-nodep</artifactId>
<version>${cglib.version}</version>
</dependency>
<dependency>
<groupId>xml-resolver</groupId>
<artifactId>xml-resolver</artifactId>
<version>${xml-resolver.version}</version>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
<version>${jjwt.version}</version>
</dependency>
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>${guava.version}</version>
</dependency>
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>${commons-io.version}</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-text</artifactId>
<version>${commons-text.version}</version>
</dependency>
<dependency>
<groupId>org.bitbucket.b_c</groupId>
<artifactId>jose4j</artifactId>
<version>${jose4j.version}</version>
</dependency>
<dependency>
<groupId>org.webjars</groupId>
<artifactId>bootstrap</artifactId>
<version>${bootstrap.version}</version>
</dependency>
<dependency>
<groupId>org.webjars</groupId>
<artifactId>jquery</artifactId>
<version>${jquery.version}</version>
</dependency>
<dependency>
<groupId>com.github.tomakehurst</groupId>
<artifactId>wiremock</artifactId>
<version>${wiremock.version}</version>
</dependency>
<dependency>
<groupId>io.github.bonigarcia</groupId>
<artifactId>webdrivermanager</artifactId>
<version>${webdriver.version}</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-compress</artifactId>
<version>1.21</version>
</dependency>
<dependency>
<groupId>org.jruby</groupId>
<artifactId>jruby</artifactId>
<version>9.3.6.0</version>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-exec</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-validation</artifactId>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<scope>provided</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>javax.xml.bind</groupId>
<artifactId>jaxb-api</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-undertow</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<exclusions>
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
<dependency>
<groupId>org.flywaydb</groupId>
<artifactId>flyway-core</artifactId>
</dependency>
<dependency>
<groupId>org.asciidoctor</groupId>
<artifactId>asciidoctorj</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity5</artifactId>
</dependency>
<dependency>
<groupId>org.hsqldb</groupId>
<artifactId>hsqldb</artifactId>
</dependency>
<dependency>
<groupId>org.jsoup</groupId>
<artifactId>jsoup</artifactId>
</dependency>
<dependency>
<groupId>com.nulab-inc</groupId>
<artifactId>zxcvbn</artifactId>
</dependency>
<dependency>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream</artifactId>
</dependency>
<dependency>
<groupId>cglib</groupId>
<artifactId>cglib-nodep</artifactId>
</dependency>
<dependency>
<groupId>xml-resolver</groupId>
<artifactId>xml-resolver</artifactId>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
</dependency>
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
</dependency>
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-text</artifactId>
</dependency>
<dependency>
<groupId>org.bitbucket.b_c</groupId>
<artifactId>jose4j</artifactId>
</dependency>
<dependency>
<groupId>org.webjars</groupId>
<artifactId>bootstrap</artifactId>
</dependency>
<dependency>
<groupId>org.webjars</groupId>
<artifactId>jquery</artifactId>
</dependency>
<dependency>
<groupId>org.glassfish.jaxb</groupId>
<artifactId>jaxb-runtime</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>com.github.tomakehurst</groupId>
<artifactId>wiremock</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>io.rest-assured</groupId>
<artifactId>rest-assured</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<repositories>
<repository>
<snapshots>
<enabled>false</enabled>
</snapshots>
<id>central</id>
<url>https://repo.maven.apache.org/maven2</url>
</repository>
</repositories>
<pluginRepositories>
<pluginRepository>
<snapshots>
<enabled>false</enabled>
</snapshots>
<id>central</id>
<url>https://repo.maven.apache.org/maven2</url>
</pluginRepository>
</pluginRepositories>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<configuration>
<excludeDevtools>true</excludeDevtools>
<executable>true</executable>
<mainClass>org.owasp.webgoat.server.StartWebGoat</mainClass>
<!-- See http://docs.spring.io/spring-boot/docs/current/reference/html/howto-build.html#howto-extract-specific-libraries-when-an-executable-jar-runs -->
<requiresUnpack>
<dependency>
<groupId>org.asciidoctor</groupId>
<artifactId>asciidoctorj</artifactId>
</dependency>
</requiresUnpack>
</configuration>
<executions>
<execution>
<goals>
<goal>repackage</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>build-helper-maven-plugin</artifactId>
<executions>
<execution>
<id>add-integration-test-source-as-test-sources</id>
<goals>
<goal>add-test-source</goal>
</goals>
<phase>generate-test-sources</phase>
<configuration>
<sources>
<source>src/it/java</source>
</sources>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-failsafe-plugin</artifactId>
<configuration>
<systemPropertyVariables>
<logback.configurationFile>${basedir}/src/test/resources/logback-test.xml</logback.configurationFile>
</systemPropertyVariables>
<argLine>-Xmx512m -Dwebgoatport=${webgoat.port} -Dwebwolfport=${webwolf.port}</argLine>
<includes>org/owasp/webgoat/*Test</includes>
</configuration>
<executions>
<execution>
<id>integration-test</id>
<goals>
<goal>integration-test</goal>
</goals>
</execution>
<execution>
<id>verify</id>
<goals>
<goal>verify</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>${maven-surefire-plugin.version}</version>
<configuration>
<argLine>--add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED
--add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED
--add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED
--add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED</argLine>
<excludes>
<exclude>**/*IntegrationTest.java</exclude>
<exclude>src/it/java</exclude>
<exclude>org/owasp/webgoat/*Test</exclude>
</excludes>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-checkstyle-plugin</artifactId>
<version>${checkstyle.version}</version>
<configuration>
<encoding>UTF-8</encoding>
<consoleOutput>true</consoleOutput>
<failsOnError>true</failsOnError>
<configLocation>config/checkstyle/checkstyle.xml</configLocation>
<suppressionsLocation>config/checkstyle/suppressions.xml</suppressionsLocation>
<suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
</configuration>
</plugin>
<plugin>
<groupId>com.diffplug.spotless</groupId>
<artifactId>spotless-maven-plugin</artifactId>
<version>2.29.0</version>
<configuration>
<formats>
<format>
<includes>
<include>.gitignore</include>
</includes>
<trimTrailingWhitespace></trimTrailingWhitespace>
<endWithNewline></endWithNewline>
<indent>
<tabs>true</tabs>
<spacesPerTab>4</spacesPerTab>
</indent>
</format>
</formats>
<markdown>
<includes>
<include>**/*.md</include>
</includes>
<flexmark></flexmark>
</markdown>
<java>
<removeUnusedImports></removeUnusedImports>
<googleJavaFormat>
<style>GOOGLE</style>
<reflowLongStrings>true</reflowLongStrings>
</googleJavaFormat>
</java>
<pom>
<sortPom>
<encoding>UTF-8</encoding>
<lineSeparator>${line.separator}</lineSeparator>
<expandEmptyElements>true</expandEmptyElements>
<spaceBeforeCloseEmptyElement>false</spaceBeforeCloseEmptyElement>
<keepBlankLines>true</keepBlankLines>
<nrOfIndentSpace>2</nrOfIndentSpace>
<indentBlankLines>false</indentBlankLines>
<indentSchemaLocation>false</indentSchemaLocation>
<predefinedSortOrder>recommended_2008_06</predefinedSortOrder>
<sortProperties>true</sortProperties>
<sortModules>true</sortModules>
<sortExecutions>true</sortExecutions>
</sortPom>
</pom>
</configuration>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-enforcer-plugin</artifactId>
<version>3.0.0</version>
<executions>
<execution>
<id>restrict-log4j-versions</id>
<goals>
<goal>enforce</goal>
</goals>
<phase>validate</phase>
<configuration>
<rules>
<bannedDependencies>
<excludes combine.children="append">
<exclude>org.apache.logging.log4j:log4j-core</exclude>
</excludes>
</bannedDependencies>
</rules>
<fail>true</fail>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<configuration>
<source>17</source>
<target>17</target>
</configuration>
</plugin>
</plugins>
</build>
<profiles>
<profile>
<id>local-server</id>
</profile>
<profile>
<id>start-server</id>
<activation>
<activeByDefault>true</activeByDefault>
</activation>
<build>
<plugins>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>build-helper-maven-plugin</artifactId>
<executions>
<execution>
<id>reserve-container-port</id>
<goals>
<goal>reserve-network-port</goal>
</goals>
<phase>process-resources</phase>
<configuration>
<portNames>
<portName>webgoat.port</portName>
<portName>webwolf.port</portName>
<portName>jmxPort</portName>
</portNames>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>com.bazaarvoice.maven.plugins</groupId>
<artifactId>process-exec-maven-plugin</artifactId>
<version>0.9</version>
<executions>
<execution>
<id>start-jar</id>
<goals>
<goal>start</goal>
</goals>
<phase>pre-integration-test</phase>
<configuration>
<workingDir>${project.build.directory}</workingDir>
<arguments>
<argument>java</argument>
<argument>-jar</argument>
<argument>-Dlogging.pattern.console=</argument>
<argument>-Dspring.main.banner-mode=off</argument>
<argument>-Dspring.datasource.url=jdbc:hsqldb:file:${java.io.tmpdir}/webgoat</argument>
<argument>-Dwebgoat.port=${webgoat.port}</argument>
<argument>-Dwebwolf.port=${webwolf.port}</argument>
<argument>--add-opens</argument>
<argument>java.base/java.lang=ALL-UNNAMED</argument>
<argument>--add-opens</argument>
<argument>java.base/java.util=ALL-UNNAMED</argument>
<argument>--add-opens</argument>
<argument>java.base/java.lang.reflect=ALL-UNNAMED</argument>
<argument>--add-opens</argument>
<argument>java.base/java.text=ALL-UNNAMED</argument>
<argument>--add-opens</argument>
<argument>java.desktop/java.beans=ALL-UNNAMED</argument>
<argument>--add-opens</argument>
<argument>java.desktop/java.awt.font=ALL-UNNAMED</argument>
<argument>--add-opens</argument>
<argument>java.base/sun.nio.ch=ALL-UNNAMED</argument>
<argument>--add-opens</argument>
<argument>java.base/java.io=ALL-UNNAMED</argument>
<argument>--add-opens</argument>
<argument>java.base/java.util=ALL-UNNAMED</argument>
<argument>${project.build.directory}/webgoat-${project.version}.jar</argument>
</arguments>
<waitForInterrupt>false</waitForInterrupt>
<healthcheckUrl>http://localhost:${webgoat.port}/WebGoat/</healthcheckUrl>
</configuration>
</execution>
<execution>
<id>stop-jar-process</id>
<goals>
<goal>stop-all</goal>
</goals>
<phase>post-integration-test</phase>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
<profile>
<id>owasp</id>
<activation>
<activeByDefault>false</activeByDefault>
</activation>
<build>
<plugins>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>6.5.1</version>
<configuration>
<failBuildOnCVSS>7</failBuildOnCVSS>
<skipProvidedScope>false</skipProvidedScope>
<skipRuntimeScope>false</skipRuntimeScope>
<suppressionFiles>
<!--suppress UnresolvedMavenProperty -->
<suppressionFile>${maven.multiModuleProjectDirectory}/config/dependency-check/project-suppression.xml</suppressionFile>
</suppressionFiles>
</configuration>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
</profiles>
</project>
Here is the packages command output:
syft packages file:pom.xml
✔ Indexed pom.xml
✔ Cataloged packages [32 packages]
NAME VERSION TYPE
asciidoctorj java-archive
bootstrap java-archive
cglib-nodep java-archive
commons-exec java-archive
commons-io java-archive
commons-lang3 java-archive
commons-text java-archive
flyway-core java-archive
guava java-archive
hsqldb java-archive
jaxb-api java-archive
jaxb-runtime java-archive
jjwt java-archive
jose4j java-archive
jquery java-archive
jsoup java-archive
lombok java-archive
rest-assured java-archive
spring-boot-starter-actuator java-archive
spring-boot-starter-data-jpa java-archive
spring-boot-starter-security java-archive
spring-boot-starter-test java-archive
spring-boot-starter-thymeleaf java-archive
spring-boot-starter-undertow java-archive
spring-boot-starter-validation java-archive
spring-boot-starter-web java-archive
spring-security-test java-archive
thymeleaf-extras-springsecurity5 java-archive
wiremock java-archive
xml-resolver java-archive
xstream java-archive
zxcvbn java-archive
Using Sift version: syft 0.69.1
maven version properties are now supported via #1251.
But looks like parent versions are still unsupported (eg: the spring-boot-starter-parent) example shared above. Is that correct?
@setchy this is correct -- also currently the versions specified in dependencyManagement are not honored.
@khan-a1 -- given the POM you provided, I don't see any versions specified directly but rather specified in the dependencyManagement section, which as noted above isn't currently being used. We definitely should be using this if it's present in the same POM. PRs are always welcome here! :)
I've added this to our backlog, but can't say when it will bubble up to the top