CODEWITHSUNDEEP
mavenpom.xmlmaven-pluginpackage.json
displayname
displayname

Reputation: 1373

dependency-check-maven plugin does not check package.json dependencies

I have a project for Ionic app, which has a number of dependencies in package.json.

When I check the project with owasp dependency-check CLI tool, it reports 19 vulnerabilities.

However when I do the check with owasp dependency-check maven plugin, it reports 0 vulnerabilities. For testing purporses I tried to add a dependency with known vulnerabilities to pom.xml. Plugin has correctly detected the vulnerabilities in this dependency.

Is this an expected behaviour for dependency-check-maven plugin, that it only checks dependencies added to pom.xml? Or am I doing something wrong?

Details:

pom.xml

<?xml version="1.0" encoding="UTF-8"?>

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>

  <groupId>com.mycompany.app</groupId>
  <artifactId>my-app</artifactId>
  <version>1.0-SNAPSHOT</version>

  <name>my-app</name>
  <url>http://www.example.com</url>

  <properties>
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    <maven.compiler.source>1.7</maven.compiler.source>
    <maven.compiler.target>1.7</maven.compiler.target>
  </properties>

  <dependencies>
      <!-- This dependency has 2 known vulnerabilities -->
      <dependency>
        <groupId>org.apache.commons</groupId>
        <artifactId>commons-email</artifactId>
        <version>1.1</version>
      </dependency>
  </dependencies>

  <build>
    <pluginManagement>
      <plugins>
        <plugin>
          <groupId>org.owasp</groupId>
          <artifactId>dependency-check-maven</artifactId>
          <version>5.2.4</version>
        </plugin>
        <plugin>
          <artifactId>maven-clean-plugin</artifactId>
          <version>3.1.0</version>
        </plugin>
      </plugins>
    </pluginManagement>
  </build>
</project>

package.json

{
  "name": "my-app",
  "version": "0.0.1",
  "author": "Ionic Framework",
  "homepage": "http://ionicframework.com/",
  "scripts": {
    "ng": "ng",
    "start": "ionic serve -l",
    "mwlocal": "ionic serve -l --configuration=local",
    "build": "ng build",
    "build-prod": "ng build --prod",
    "test": "ng test",
    "test-headless": "ng test --watch=false --browsers=ChromeHeadless",
    "lint": "tslint",
    "e2e": "ng e2e"
  },
  "private": true,
  "dependencies": {
    "@angular/animations": "^7.2.12",
    "@angular/common": "^7.2.12",
    "@angular/core": "^7.2.12",
    "@angular/forms": "^7.2.12",
    "@angular/http": "^7.2.12",
    "@angular/platform-browser": "^7.2.12",
    "@angular/platform-browser-dynamic": "^7.2.12",
    "@angular/router": "^7.2.12",
    "@ionic-native/app-version": "^5.3.0",
    "@ionic-native/barcode-scanner": "^5.3.0",
    "@ionic-native/calendar": "^5.3.0",
    "@ionic-native/core": "^5.3.0",
    "@ionic-native/file": "^5.3.0",
    "@ionic-native/file-opener": "^5.3.0",
    "@ionic-native/in-app-browser": "^5.3.0",
    "@ionic-native/keyboard": "^5.3.0",
    "@ionic-native/native-storage": "^5.3.0",
    "@ionic-native/push": "^5.3.0",
    "@ionic-native/splash-screen": "^5.3.0",
    "@ionic-native/status-bar": "^5.3.0",
    "@ionic/angular": "4.2.0",
    "@ngxs/store": "^3.4.3",
    "cordova-android": "8.0.0",
    "cordova-android-support-gradle-release": "^2.1.0",
    "cordova-browser": "6.0.0",
    "cordova-ios": "5.0.0",
    "cordova-plugin-app-version": "^0.1.9",
    "cordova-plugin-bindinglib": "0.9.17",
    "cordova-plugin-calendar": "^5.1.4",
    "cordova-plugin-device": "^2.0.2",
    "cordova-plugin-file": "^6.0.1",
    "cordova-plugin-file-opener2": "^2.2.0",
    "cordova-plugin-inappbrowser": "3.1.1-dev-internal",
    "cordova-plugin-ionic-keyboard": "^2.1.3",
    "cordova-plugin-ionic-webview": "^4.0.1",
    "cordova-plugin-nativestorage": "^2.3.2",
    "cordova-plugin-splashscreen": "^5.0.2",
    "cordova-plugin-statusbar": "^2.4.2",
    "cordova-plugin-whitelist": "^1.3.3",
    "cordova-support-google-services": "1.1.0",
    "core-js": "^2.6.5",
    "io-anyline-cordova": "13.0.0",
    "lscache": "~1.3.0",
    "moment": "~2.24.0",
    "phonegap-plugin-barcodescanner": "^8.0.1",
    "phonegap-plugin-multidex": "^1.0.0",
    "phonegap-plugin-push": "2.2.3",
    "rxjs": "^6.4.0",
    "source-sans-pro": "2.20.2",
    "zone.js": "^0.9.0"
  },
  "devDependencies": {
    "@angular-devkit/architect": "^0.12.4",
    "@angular-devkit/build-angular": "^0.12.4",
    "@angular-devkit/core": "^7.3.8",
    "@angular-devkit/schematics": "^7.3.8",
    "@angular/cli": "^7.3.8",
    "@angular/compiler": "^7.2.12",
    "@angular/compiler-cli": "^7.2.12",
    "@angular/language-service": "^7.2.12",
    "@ionic/angular-toolkit": "^1.5.0",
    "@ionic/app-scripts": "^3.2.3",
    "@ionic/lab": "^1.0.24",
    "@ionic/v4-migration-tslint": "~1.7.0",
    "@ngxs/devtools-plugin": "^3.4.3",
    "@ngxs/logger-plugin": "^3.4.3",
    "@types/jasmine": "3.3.12",
    "@types/jasminewd2": "2.0.6",
    "@types/node": "^11.13.0",
    "codelyzer": "^5.0.0",
    "jasmine-core": "3.4.0",
    "jasmine-spec-reporter": "~4.2.1",
    "karma": "^4.0.1",
    "karma-chrome-launcher": "~2.2.0",
    "karma-coverage-istanbul-reporter": "^2.0.5",
    "karma-jasmine": "^2.0.1",
    "karma-jasmine-html-reporter": "^1.4.0",
    "karma-junit-reporter": "^1.2.0",
    "karma-sonarqube-unit-reporter": "0.0.18",
    "node-sass": "^4.12.0",
    "prettier": "^1.16.4",
    "protractor": "~5.4.2",
    "rxjs-tslint": "^0.1.7",
    "ts-node": "^8.0.3",
    "tslint": "^5.15.0",
    "typescript": "~3.2.4"
  },
  "description": "An Ionic project",
  "cordova": {
    "plugins": {
      "io-anyline-cordova": {},
      "cordova-plugin-inappbrowser": {},
      "cordova-plugin-whitelist": {},
      "cordova-plugin-statusbar": {},
      "cordova-plugin-device": {},
      "cordova-plugin-splashscreen": {},
      "cordova-plugin-ionic-webview": {
        "ANDROID_SUPPORT_ANNOTATIONS_VERSION": "27.+"
      },
      "cordova-plugin-ionic-keyboard": {},
      "cordova-plugin-file-opener2": {
        "ANDROID_SUPPORT_V4_VERSION": "27.+"
      },
      "cordova-plugin-file": {},
      "cordova-android-support-gradle-release": {
        "ANDROID_SUPPORT_VERSION": "27.+"
      },
      "phonegap-plugin-barcodescanner": {
        "ANDROID_SUPPORT_V4_VERSION": "27.+"
      },
      "cordova-plugin-app-version": {},
      "cordova-plugin-calendar": {
        "CALENDAR_USAGE_DESCRIPTION": " ",
        "CONTACTS_USAGE_DESCRIPTION": " "
      },
      "cordova-plugin-nativestorage": {},
      "phonegap-plugin-push": {
        "ANDROID_SUPPORT_V13_VERSION": "27.+",
        "FCM_VERSION": "17.5.0"
      },
      "cordova-plugin-bindinglib": {},
      "cordova-plugin-add-swift-support": {},
      "cordova-support-google-services": {}
    },
    "platforms": [
      "ios",
      "browser",
      "android"
    ]
  }
}

Upvotes: 2

Views: 2565

Answers (1)

displayname
displayname

Reputation: 1373

Turned out dependency-check-maven version 5.2.4 requires to include the package.json and package-lock.json in the configured scanSet. This will probably be changed in future releases:

https://github.com/jeremylong/DependencyCheck/issues/2382

I ended up with the following:

<plugin>
    <groupId>org.owasp</groupId>
    <artifactId>dependency-check-maven</artifactId>
    <version>5.2.4</version>
    <configuration>
        <scanSet>
            <fileSet>
                <directory>${project.basedir}</directory>
                <includes>
                    <include>package.json</include>
                    <include>package-lock.json</include>
                </includes>
            </fileSet>
        </scanSet>
    </configuration>
</plugin>

Upvotes: 3

Related Questions