osv-scanner
osv-scanner copied to clipboard
google
Better support for transitive deps in Maven/Java (pom.xml)
Currently pom.xml support does not support resolving the full dependency graph.
I can't find any documentation on the Maven integration for the scanner. Can anyone point me to it? Or is current "Maven"-support limited to letting the command-line tool read pom.xml files and scan those? Hope there will be ecosystem-native tools as well, like OWASP's Dependency Check Maven-plugin.
@oliverchang Can data from deps.dev be used to resolve transitive dependencies from direct dependencies identified from pom.xml? If so, no external tool/plugin will be required to get full list of dependencies.
Could it have something to with an effective pom?
https://maven.apache.org/plugins/maven-help-plugin/effective-pom-mojo.html
https://medium.com/@harun_ergul/what-is-effective-pom-5c278fe53031
mvn dependency:list might also help (found in https://github.com/opensbom-generator/spdx-sbom-generator/search?q=mvn)
Also there's a need to configure maven profiles, as some project build different artifacts based on the profile, see https://github.com/GoogleCloudDataproc/spark-bigquery-connector for example
Based on the suggestion by @h4sh5 above, my current work-around is to run something like this:
mvn help:effective-pom -Doutput="${TMPDIR}/pom.xml"
osv-scanner --lockfile="${TMPDIR}/pom.xml"
Edit: I found this was not really capturing all the transitive dependencies I was interested in. See my follow-up comment below.
Thanks for the suggestions all!
I think it may make sense to support a mode to use ecosystem-specifc tooling (e.g. mvn) to achieve this, but we're hoping to avoid adding additional dependnencies, and there are additional complexities around profiles/environments as pointed out in @davidrabinowitz.
We're also exploring approaches using deps.dev as well to resolve this natively without requiring external tooling. We'll keep this bug updated with any new info!
I found that, since I really care about the dependencies (including transitive dependencies) that will be on the classpath at runtime, and required by any consuming packages, the approach that actually works for me is to generate a Software Bill of Materials (SBOM) and run OSV-Scanner against that SBOM instead of the POM file.
I currently have the CycloneDX Maven plugin configured in a profile within my POM file:
<profile>
<id>sbom</id>
<build>
<plugins>
<plugin>
<groupId>org.cyclonedx</groupId>
<artifactId>cyclonedx-maven-plugin</artifactId>
<version>2.7.9</version>
<configuration>
<includeCompileScope>true</includeCompileScope>
<includeProvidedScope>false</includeProvidedScope>
<includeRuntimeScope>true</includeRuntimeScope>
<includeSystemScope>false</includeSystemScope>
<includeTestScope>false</includeTestScope>
</configuration>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>makeAggregateBom</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
I use this to generate the SBOM, then run OSV-Scanner run against the SBOM:
mvn --activate-profiles sbom -DskipTests install
osv-scanner --sbom=target/bom.json
If anyone has a better solution, I would really like to hear it.
We are working on this now :) This is dependent on some other changes coming along the way to help us better parse and resolve pom.xml files. Stay tuned!
Hi @oliverchang, are there any news re Maven support for transitive dependencies? Thanks in advance! :)
Hi @LironJit, we are actively working on this! The changes to resolve Maven projects are on their way. :)
@cuixq with https://github.com/google/deps.dev/tree/main/util/resolve/maven now being available, do we just need to integrate that into OSV-Scanner?