diff --git a/ant/pom.xml b/ant/pom.xml index 07371c6893d..5a950aa40da 100644 --- a/ant/pom.xml +++ b/ant/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 12.2.3-SNAPSHOT + 13.0.0-SNAPSHOT dependency-check-ant diff --git a/archetype/pom.xml b/archetype/pom.xml index 72dd231e485..32c4b1c069c 100644 --- a/archetype/pom.xml +++ b/archetype/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2017 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 12.2.3-SNAPSHOT + 13.0.0-SNAPSHOT dependency-check-plugin Dependency-Check Plugin Archetype diff --git a/cli/pom.xml b/cli/pom.xml index 989467f1335..5e76c11f12a 100644 --- a/cli/pom.xml +++ b/cli/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 12.2.3-SNAPSHOT + 13.0.0-SNAPSHOT dependency-check-cli diff --git a/core/pom.xml b/core/pom.xml index 669ff551f54..dac4114f452 100644 --- a/core/pom.xml +++ b/core/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 12.2.3-SNAPSHOT + 13.0.0-SNAPSHOT dependency-check-core diff --git a/maven/pom.xml b/maven/pom.xml index 8241aed128d..375f0708272 100644 --- a/maven/pom.xml +++ b/maven/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 12.2.3-SNAPSHOT + 13.0.0-SNAPSHOT dependency-check-maven maven-plugin @@ -28,7 +28,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. dependency-check-maven is a Maven Plugin that uses dependency-check-core to detect publicly disclosed vulnerabilities associated with the project's dependencies. The plugin will generate a report listing the dependency, any identified Common Platform Enumeration (CPE) identifiers, and the associated Common Vulnerability and Exposure (CVE) entries. 2013 - 3.6.3 + 3.8.1 3.15.2 ${java.home} @@ -94,11 +94,6 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. maven-dependency-tree 3.3.0 - - org.apache.maven.shared - maven-artifact-transfer - 0.13.1 - org.apache.maven.shared maven-common-artifact-filters @@ -245,10 +240,6 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. org.apache.maven.shared maven-dependency-tree - - org.apache.maven.shared - maven-artifact-transfer - org.apache.maven.shared maven-common-artifact-filters diff --git a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java index f45828eb5fd..9e5ecb992df 100644 --- a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java +++ b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java @@ -21,6 +21,7 @@ import com.github.packageurl.PackageURL; import com.github.packageurl.PackageURL.StandardTypes; import org.apache.commons.lang3.StringUtils; +import org.apache.maven.RepositoryUtils; import org.apache.maven.artifact.Artifact; import org.apache.maven.artifact.DefaultArtifact; import org.apache.maven.artifact.handler.DefaultArtifactHandler; @@ -60,15 +61,16 @@ import org.apache.maven.shared.dependency.graph.traversal.FilteringDependencyNodeVisitor; import org.apache.maven.shared.model.fileset.FileSet; import org.apache.maven.shared.model.fileset.util.FileSetManager; -import org.apache.maven.shared.transfer.artifact.DefaultArtifactCoordinate; -import org.apache.maven.shared.transfer.artifact.resolve.ArtifactResolver; -import org.apache.maven.shared.transfer.artifact.resolve.ArtifactResolverException; -import org.apache.maven.shared.transfer.artifact.resolve.ArtifactResult; -import org.apache.maven.shared.transfer.dependencies.DefaultDependableCoordinate; -import org.apache.maven.shared.transfer.dependencies.DependableCoordinate; -import org.apache.maven.shared.transfer.dependencies.resolve.DependencyResolver; -import org.apache.maven.shared.transfer.dependencies.resolve.DependencyResolverException; +import org.eclipse.aether.RepositorySystem; import org.eclipse.aether.artifact.ArtifactType; +import org.eclipse.aether.artifact.ArtifactTypeRegistry; +import org.eclipse.aether.collection.CollectRequest; +import org.eclipse.aether.repository.RemoteRepository; +import org.eclipse.aether.resolution.ArtifactRequest; +import org.eclipse.aether.resolution.ArtifactResolutionException; +import org.eclipse.aether.resolution.DependencyRequest; +import org.eclipse.aether.resolution.DependencyResolutionException; +import org.eclipse.aether.resolution.DependencyResult; import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.agent.DependencyCheckScanAgent; import org.owasp.dependencycheck.analyzer.JarAnalyzer; @@ -179,23 +181,12 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma @Parameter(readonly = true, required = true, property = "reactorProjects") private List reactorProjects; /** - * The entry point towards a Maven version independent way of resolving - * artifacts (handles both Maven 3.0 Sonatype and Maven 3.1+ eclipse Aether - * implementations). + * The Maven Resolver (Eclipse Aether) repository system used for both + * single-artifact resolution and transitive dependency resolution. */ @SuppressWarnings("CanBeFinal") @Component - private ArtifactResolver artifactResolver; - /** - * The entry point towards a Maven version independent way of resolving - * dependencies (handles both Maven 3.0 Sonatype and Maven 3.1+ eclipse - * Aether implementations). Contrary to the ArtifactResolver this resolver - * also takes into account the additional repositories defined in the - * dependency-path towards transitive dependencies. - */ - @SuppressWarnings("CanBeFinal") - @Component - private DependencyResolver dependencyResolver; + private RepositorySystem repoSystem; /** * The Maven Session. @@ -1421,7 +1412,7 @@ protected ExceptionCollection scanArtifacts(MavenProject project, Engine engine, //collect dependencies with the filter - see comment above. final Map> nodes = collectorVisitor.getNodes(); - return collectDependencies(engine, project, nodes, buildingRequest, aggregate); + return collectDependencies(engine, project, nodes, aggregate); } catch (DependencyGraphBuilderException ex) { final String msg = String.format("Unable to build dependency graph on project %s", project.getName()); getLog().debug(msg, ex); @@ -1451,27 +1442,24 @@ protected ExceptionCollection scanPlugins(MavenProject project, Engine engine, E plugins.addAll(reportPlugins); plugins.addAll(extensions); - final ProjectBuildingRequest buildingRequest = newResolveArtifactProjectBuildingRequest(project, project.getPluginArtifactRepositories()); + final List pluginRepos = project.getRemotePluginRepositories(); for (Artifact plugin : plugins) { try { - final Artifact resolved = artifactResolver.resolveArtifact(buildingRequest, plugin).getArtifact(); + final org.eclipse.aether.artifact.Artifact aetherPlugin = RepositoryUtils.toArtifact(plugin); + final org.eclipse.aether.resolution.ArtifactResult pluginResult = repoSystem.resolveArtifact( + session.getRepositorySession(), new ArtifactRequest(aetherPlugin, pluginRepos, null)); + final Artifact resolved = RepositoryUtils.toArtifact(pluginResult.getArtifact()); exCol = addPluginToDependencies(project, engine, resolved, "pom.xml (plugins)", exCol); - final DefaultDependableCoordinate pluginCoordinate = new DefaultDependableCoordinate(); - pluginCoordinate.setGroupId(resolved.getGroupId()); - pluginCoordinate.setArtifactId(resolved.getArtifactId()); - pluginCoordinate.setVersion(resolved.getVersion()); + final org.eclipse.aether.artifact.Artifact pluginRoot = new org.eclipse.aether.artifact.DefaultArtifact( + resolved.getGroupId(), resolved.getArtifactId(), null, "jar", resolved.getVersion()); final String parent = buildReference(resolved.getGroupId(), resolved.getArtifactId(), resolved.getVersion()); - for (Artifact artifact : resolveArtifactDependencies(pluginCoordinate, project)) { + for (Artifact artifact : resolveArtifactDependencies(pluginRoot, project)) { exCol = addPluginToDependencies(project, engine, artifact, parent, exCol); } - } catch (ArtifactResolverException ex) { - throw new RuntimeException(ex); - } catch (IllegalArgumentException ex) { - throw new RuntimeException(ex); - } catch (DependencyResolverException ex) { + } catch (ArtifactResolutionException | DependencyResolutionException | IllegalArgumentException ex) { throw new RuntimeException(ex); } } @@ -1552,16 +1540,20 @@ private String buildReference(final String groupId, final String artifactId, fin return includedBy; } - protected Set resolveArtifactDependencies(final DependableCoordinate artifact, MavenProject project) - throws DependencyResolverException { - final ProjectBuildingRequest buildingRequest = newResolveArtifactProjectBuildingRequest(project, project.getRemoteArtifactRepositories()); + protected Set resolveArtifactDependencies(final org.eclipse.aether.artifact.Artifact rootArtifact, MavenProject project) + throws DependencyResolutionException { + final CollectRequest collectRequest = new CollectRequest(); + collectRequest.setRoot(new org.eclipse.aether.graph.Dependency(rootArtifact, null)); + collectRequest.setRepositories(project.getRemoteProjectRepositories()); - final Iterable artifactResults = dependencyResolver.resolveDependencies(buildingRequest, artifact, null); + final DependencyResult dependencyResult = repoSystem.resolveDependencies( + session.getRepositorySession(), new DependencyRequest(collectRequest, null)); final Set artifacts = new HashSet<>(); - - for (ArtifactResult artifactResult : artifactResults) { - artifacts.add(artifactResult.getArtifact()); + for (org.eclipse.aether.resolution.ArtifactResult artifactResult : dependencyResult.getArtifactResults()) { + if (artifactResult.getArtifact() != null) { + artifacts.add(RepositoryUtils.toArtifact(artifactResult.getArtifact())); + } } return artifacts; @@ -1572,29 +1564,26 @@ protected Set resolveArtifactDependencies(final DependableCoordinate a * Converts the dependency to a dependency node object. * * @param nodes the list of dependency nodes - * @param buildingRequest the Maven project building request + * @param project the Maven project the dependency belongs to (used for remote repositories) * @param parent the parent node * @param dependency the dependency to convert * @return the resulting dependency node - * @throws ArtifactResolverException thrown if the artifact could not be + * @throws ArtifactResolutionException thrown if the artifact could not be * retrieved */ - private DependencyNode toDependencyNode(List nodes, ProjectBuildingRequest buildingRequest, - DependencyNode parent, org.apache.maven.model.Dependency dependency) throws ArtifactResolverException { - - final DefaultArtifactCoordinate coordinate = new DefaultArtifactCoordinate(); + private DependencyNode toDependencyNode(List nodes, MavenProject project, + DependencyNode parent, org.apache.maven.model.Dependency dependency) throws ArtifactResolutionException { - coordinate.setGroupId(dependency.getGroupId()); - coordinate.setArtifactId(dependency.getArtifactId()); String version = null; final VersionRange vr; try { vr = VersionRange.createFromVersionSpec(dependency.getVersion()); } catch (InvalidVersionSpecificationException ex) { - throw new ArtifactResolverException("Invalid version specification: " - + dependency.getGroupId() + ":" - + dependency.getArtifactId() + ":" - + dependency.getVersion(), ex); + throw new ArtifactResolutionException(Collections.emptyList(), + "Invalid version specification: " + + dependency.getGroupId() + ":" + + dependency.getArtifactId() + ":" + + dependency.getVersion(), ex); } if (vr.hasRestrictions()) { version = findVersion(nodes, dependency.getGroupId(), dependency.getArtifactId()); @@ -1620,13 +1609,17 @@ private DependencyNode toDependencyNode(List nodes, ProjectBuild if (version == null) { version = dependency.getVersion(); } - coordinate.setVersion(version); final ArtifactType type = session.getRepositorySession().getArtifactTypeRegistry().get(dependency.getType()); - coordinate.setExtension(type.getExtension()); - coordinate.setClassifier((null == dependency.getClassifier() || dependency.getClassifier().isEmpty()) - ? type.getClassifier() : dependency.getClassifier()); - final Artifact artifact = artifactResolver.resolveArtifact(buildingRequest, coordinate).getArtifact(); + final String classifier = (null == dependency.getClassifier() || dependency.getClassifier().isEmpty()) + ? type.getClassifier() : dependency.getClassifier(); + final org.eclipse.aether.artifact.Artifact aetherArtifact = new org.eclipse.aether.artifact.DefaultArtifact( + dependency.getGroupId(), dependency.getArtifactId(), classifier, type.getExtension(), version); + + final ArtifactRequest request = new ArtifactRequest(aetherArtifact, project.getRemoteProjectRepositories(), null); + final org.eclipse.aether.resolution.ArtifactResult result = repoSystem.resolveArtifact( + session.getRepositorySession(), request); + final Artifact artifact = RepositoryUtils.toArtifact(result.getArtifact()); artifact.setScope(dependency.getScope()); return new DefaultDependencyNode(parent, artifact, dependency.getVersion(), dependency.getScope(), null); } @@ -1655,14 +1648,13 @@ private String findVersion(List nodes, String groupId, String ar * Collect dependencies from the dependency management section. * * @param engine reference to the ODC engine - * @param buildingRequest the Maven project building request * @param project the project being analyzed * @param nodes the list of dependency nodes * @param aggregate whether or not this is an aggregate analysis * @return a collection of exceptions if any occurred; otherwise * null */ - private ExceptionCollection collectDependencyManagementDependencies(Engine engine, ProjectBuildingRequest buildingRequest, + private ExceptionCollection collectDependencyManagementDependencies(Engine engine, MavenProject project, List nodes, boolean aggregate) { if (skipDependencyManagement || project.getDependencyManagement() == null) { return null; @@ -1671,8 +1663,8 @@ private ExceptionCollection collectDependencyManagementDependencies(Engine engin ExceptionCollection exCol = null; for (org.apache.maven.model.Dependency dependency : project.getDependencyManagement().getDependencies()) { try { - nodes.add(toDependencyNode(nodes, buildingRequest, null, dependency)); - } catch (ArtifactResolverException ex) { + nodes.add(toDependencyNode(nodes, project, null, dependency)); + } catch (ArtifactResolutionException ex) { getLog().debug(String.format("Aggregate : %s", aggregate)); boolean addException = true; //CSOFF: EmptyBlock @@ -1704,29 +1696,28 @@ private ExceptionCollection collectDependencyManagementDependencies(Engine engin * @param project the project being scanned * @param nodeMap the map of dependency nodes, generally obtained via the * DependencyGraphBuilder using the CollectingRootDependencyGraphVisitor - * @param buildingRequest the Maven project building request * @param aggregate whether the scan is part of an aggregate build * @return a collection of exceptions that may have occurred while resolving * and scanning the dependencies */ //CSOFF: OperatorWrap private ExceptionCollection collectMavenDependencies(Engine engine, MavenProject project, - Map> nodeMap, ProjectBuildingRequest buildingRequest, boolean aggregate) { + Map> nodeMap, boolean aggregate) { - final List allResolvedDeps = new ArrayList<>(); + final List allResolvedDeps = new ArrayList<>(); //dependency management final List dmNodes = new ArrayList<>(); - ExceptionCollection exCol = collectDependencyManagementDependencies(engine, buildingRequest, project, dmNodes, aggregate); + ExceptionCollection exCol = collectDependencyManagementDependencies(engine, project, dmNodes, aggregate); for (DependencyNode dependencyNode : dmNodes) { - exCol = scanDependencyNode(dependencyNode, null, engine, project, allResolvedDeps, buildingRequest, aggregate, exCol); + exCol = scanDependencyNode(dependencyNode, null, engine, project, allResolvedDeps, aggregate, exCol); } //dependencies for (Map.Entry> entry : nodeMap.entrySet()) { - exCol = scanDependencyNode(entry.getKey(), null, engine, project, allResolvedDeps, buildingRequest, aggregate, exCol); + exCol = scanDependencyNode(entry.getKey(), null, engine, project, allResolvedDeps, aggregate, exCol); for (DependencyNode dependencyNode : entry.getValue()) { - exCol = scanDependencyNode(dependencyNode, entry.getKey(), engine, project, allResolvedDeps, buildingRequest, aggregate, exCol); + exCol = scanDependencyNode(dependencyNode, entry.getKey(), engine, project, allResolvedDeps, aggregate, exCol); } } return exCol; @@ -1736,21 +1727,20 @@ private ExceptionCollection collectMavenDependencies(Engine engine, MavenProject /** * Utility method for a work-around to MSHARED-998 * - * @param allDeps The List of ArtifactResults for all dependencies - * @param unresolvedArtifact The ArtifactCoordinate of the artifact we're - * looking for + * @param allDeps The List of resolved artifacts for all dependencies + * @param unresolvedArtifact The artifact we're looking for * @param project The project in whose context resolution was attempted * @return the resolved artifact matching with {@code unresolvedArtifact} * @throws DependencyNotFoundException If {@code unresolvedArtifact} could * not be found within {@code allDeps} */ - private Artifact findInAllDeps(final List allDeps, final Artifact unresolvedArtifact, + private Artifact findInAllDeps(final List allDeps, final Artifact unresolvedArtifact, final MavenProject project) throws DependencyNotFoundException { Artifact result = null; - for (final ArtifactResult res : allDeps) { + for (final Artifact res : allDeps) { if (sameArtifact(res, unresolvedArtifact)) { - result = res.getArtifact(); + result = res; break; } } @@ -1764,26 +1754,26 @@ private Artifact findInAllDeps(final List allDeps, final Artifac /** * Utility method for a work-around to MSHARED-998 * - * @param res A single ArtifactResult obtained from the DependencyResolver + * @param res A single resolved Artifact * @param unresolvedArtifact The unresolved Artifact from the * dependencyGraph that we try to find * @return {@code true} when unresolvedArtifact is non-null and matches with - * the artifact of res + * res */ - private boolean sameArtifact(final ArtifactResult res, final Artifact unresolvedArtifact) { - if (res == null || res.getArtifact() == null || unresolvedArtifact == null) { + private boolean sameArtifact(final Artifact res, final Artifact unresolvedArtifact) { + if (res == null || unresolvedArtifact == null) { return false; } - boolean result = Objects.equals(res.getArtifact().getGroupId(), unresolvedArtifact.getGroupId()); - result &= Objects.equals(res.getArtifact().getArtifactId(), unresolvedArtifact.getArtifactId()); + boolean result = Objects.equals(res.getGroupId(), unresolvedArtifact.getGroupId()); + result &= Objects.equals(res.getArtifactId(), unresolvedArtifact.getArtifactId()); // accept any version as matching "LATEST" and any non-snapshot version as matching "RELEASE" meta-version if ("RELEASE".equals(unresolvedArtifact.getBaseVersion())) { - result &= !res.getArtifact().isSnapshot(); + result &= !res.isSnapshot(); } else if (!"LATEST".equals(unresolvedArtifact.getBaseVersion())) { - result &= Objects.equals(res.getArtifact().getBaseVersion(), unresolvedArtifact.getBaseVersion()); + result &= Objects.equals(res.getBaseVersion(), unresolvedArtifact.getBaseVersion()); } - result &= Objects.equals(res.getArtifact().getClassifier(), unresolvedArtifact.getClassifier()); - result &= Objects.equals(res.getArtifact().getType(), unresolvedArtifact.getType()); + result &= Objects.equals(res.getClassifier(), unresolvedArtifact.getClassifier()); + result &= Objects.equals(res.getType(), unresolvedArtifact.getType()); return result; } @@ -1808,16 +1798,15 @@ protected String createProjectReferenceName(MavenProject project, DependencyNode * @param project the project being scanned * @param nodes the list of dependency nodes, generally obtained via the * DependencyGraphBuilder - * @param buildingRequest the Maven project building request * @param aggregate whether the scan is part of an aggregate build * @return a collection of exceptions that may have occurred while resolving * and scanning the dependencies */ private ExceptionCollection collectDependencies(Engine engine, MavenProject project, - Map> nodes, ProjectBuildingRequest buildingRequest, boolean aggregate) { + Map> nodes, boolean aggregate) { ExceptionCollection exCol; - exCol = collectMavenDependencies(engine, project, nodes, buildingRequest, aggregate); + exCol = collectMavenDependencies(engine, project, nodes, aggregate); final List projectScan; @@ -2987,8 +2976,8 @@ protected void showSummary(MavenProject mp, Dependency[] dependencies) { // //CSOFF: ParameterNumber private ExceptionCollection scanDependencyNode(DependencyNode dependencyNode, DependencyNode root, - Engine engine, MavenProject project, List allResolvedDeps, - ProjectBuildingRequest buildingRequest, boolean aggregate, ExceptionCollection exceptionCollection) { + Engine engine, MavenProject project, List allResolvedDeps, + boolean aggregate, ExceptionCollection exceptionCollection) { ExceptionCollection exCol = exceptionCollection; if (artifactScopeExcluded.passes(dependencyNode.getArtifact().getScope()) || artifactTypeExcluded.passes(dependencyNode.getArtifact().getType())) { @@ -3028,7 +3017,7 @@ private ExceptionCollection scanDependencyNode(DependencyNode dependencyNode, De // Issue #4969 Tycho appears to add System-scoped libraries in reactor projects in unresolved state // so attempt to do a resolution for system-scoped too if still nothing found try { - tryResolutionOnce(project, allResolvedDeps, buildingRequest); + tryResolutionOnce(project, allResolvedDeps); final Artifact result = findInAllDeps(allResolvedDeps, dependencyNode.getArtifact(), project); isResolved = result.isResolved(); artifactFile = result.getFile(); @@ -3036,7 +3025,7 @@ private ExceptionCollection scanDependencyNode(DependencyNode dependencyNode, De artifactId = result.getArtifactId(); version = result.getVersion(); availableVersions = result.getAvailableVersions(); - } catch (DependencyNotFoundException | DependencyResolverException e) { + } catch (DependencyNotFoundException e) { getLog().warn("Error performing last-resort System-scoped dependency resolution: " + e.getMessage()); ignored = e; } @@ -3069,9 +3058,9 @@ private ExceptionCollection scanDependencyNode(DependencyNode dependencyNode, De result = dependencyArtifact; } else { try { - tryResolutionOnce(project, allResolvedDeps, buildingRequest); + tryResolutionOnce(project, allResolvedDeps); result = findInAllDeps(allResolvedDeps, dependencyNode.getArtifact(), project); - } catch (DependencyNotFoundException | DependencyResolverException ex) { + } catch (DependencyNotFoundException ex) { getLog().debug(String.format("Aggregate : %s", aggregate)); boolean addException = true; //CSOFF: EmptyBlock @@ -3133,43 +3122,56 @@ && addSnapshotReactorDependency(engine, dependencyNode.getArtifact(), project)) /** * Try resolution of artifacts once, allowing for - * DependencyResolutionException due to reactor-dependencies not being - * resolvable. + * {@link DependencyResolutionException} due to reactor-dependencies not + * being resolvable. *
* The resolution is attempted only if allResolvedDeps is still empty. The * assumption is that for any given project at least one of the dependencies * will successfully resolve. If not, resolution will be attempted once for * every dependency (as allResolvedDeps remains empty). + *

+ * Any partial results carried by the {@link DependencyResolutionException} + * are extracted and added to {@code allResolvedDeps}; the exception itself + * is swallowed so the caller can fall back to per-artifact handling. * - * @param project The project to dependencies for + * @param project The project whose dependencies are to be resolved * @param allResolvedDeps The collection of successfully resolved * dependencies, will be filled with the successfully resolved dependencies, - * even in case of resolution failures. - * @param buildingRequest The buildingRequest to hand to Maven's - * DependencyResolver. - * @throws DependencyResolverException For any DependencyResolverException - * other than an Eclipse Aether DependencyResolutionException + * even in case of partial-failure resolution. */ - private void tryResolutionOnce(MavenProject project, List allResolvedDeps, ProjectBuildingRequest buildingRequest) throws DependencyResolverException { + private void tryResolutionOnce(MavenProject project, List allResolvedDeps) { if (allResolvedDeps.isEmpty()) { // no (partially successful) resolution attempt done + final ArtifactTypeRegistry typeRegistry = session.getRepositorySession().getArtifactTypeRegistry(); + final CollectRequest collectRequest = new CollectRequest(); + for (org.apache.maven.model.Dependency dep : project.getDependencies()) { + collectRequest.addDependency(RepositoryUtils.toDependency(dep, typeRegistry)); + } + if (project.getDependencyManagement() != null) { + for (org.apache.maven.model.Dependency dep : project.getDependencyManagement().getDependencies()) { + collectRequest.addManagedDependency(RepositoryUtils.toDependency(dep, typeRegistry)); + } + } + collectRequest.setRepositories(project.getRemoteProjectRepositories()); try { - final List dependencies = project.getDependencies(); - final List managedDependencies = project - .getDependencyManagement() == null ? null : project.getDependencyManagement().getDependencies(); - final Iterable allDeps = dependencyResolver - .resolveDependencies(buildingRequest, dependencies, managedDependencies, null); - allDeps.forEach(allResolvedDeps::add); - } catch (DependencyResolverException dre) { - if (dre.getCause() instanceof org.eclipse.aether.resolution.DependencyResolutionException) { - final List successResults = Mshared998Util - .getResolutionResults((org.eclipse.aether.resolution.DependencyResolutionException) dre.getCause()); - allResolvedDeps.addAll(successResults); - } else { - throw dre; + final DependencyResult dependencyResult = repoSystem.resolveDependencies( + session.getRepositorySession(), new DependencyRequest(collectRequest, null)); + addResolvedArtifacts(dependencyResult.getArtifactResults(), allResolvedDeps); + } catch (DependencyResolutionException dre) { + if (dre.getResult() != null) { + addResolvedArtifacts(dre.getResult().getArtifactResults(), allResolvedDeps); } } } } + + private void addResolvedArtifacts(List results, + List allResolvedDeps) { + for (org.eclipse.aether.resolution.ArtifactResult ar : results) { + if (ar.isResolved() && ar.getArtifact() != null) { + allResolvedDeps.add(RepositoryUtils.toArtifact(ar.getArtifact())); + } + } + } //CSON: ParameterNumber //CSOFF: ParameterNumber diff --git a/maven/src/main/java/org/owasp/dependencycheck/maven/Mshared998Util.java b/maven/src/main/java/org/owasp/dependencycheck/maven/Mshared998Util.java deleted file mode 100644 index 7e8a5795dd4..00000000000 --- a/maven/src/main/java/org/owasp/dependencycheck/maven/Mshared998Util.java +++ /dev/null @@ -1,84 +0,0 @@ -/* - * This file is part of dependency-check-maven. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - * Copyright (c) 2021 Jeremy Long. All Rights Reserved. - */ -package org.owasp.dependencycheck.maven; - -import org.apache.maven.RepositoryUtils; -import org.apache.maven.shared.transfer.artifact.resolve.ArtifactResult; -import org.eclipse.aether.resolution.DependencyResolutionException; -import org.eclipse.aether.resolution.DependencyResult; - -import java.util.ArrayList; -import java.util.List; - -public final class Mshared998Util { - - /** - * Empty constructor to prevent instantiation of utility-class. - */ - private Mshared998Util() { - } - - /** - * Get the list of ArtifactResults from a resolution that ran into an exception. - * - * @param adre - * The DependencyResolutionException that might have embedded resolution results - * - * @return The list of ArtifactResults created from the dependencyResult of the exception. - */ - public static List getResolutionResults(DependencyResolutionException adre) { - final DependencyResult dependencyResult = adre.getResult(); - final List results = new ArrayList<>(); - if (dependencyResult != null) { - for (org.eclipse.aether.resolution.ArtifactResult artifactResult : dependencyResult.getArtifactResults()) { - results.add(new M31ArtifactResult(artifactResult)); - } - } - return results; - } - - /** - * Our own implementation of ArtifactResult because MShared library does not expose the - * transformation from eclipse aether ArtifactResult to maven-shared ArtifactResult. - * So we cannot reuse Maven's own implementation in - * org.apache.maven.shared.transfer.artifact.resolve.internal - * This class is a copy of it, but then hard-bound to eclipse aether implementation - * as DependencyCheck is already not compatible with maven 3.0 - */ - static class M31ArtifactResult implements ArtifactResult { - - /** - * The ArtifactResult of the Maven 3.1+ artifact resolution - * implementation library (Eclipse Aether) that is wrapped by this instance - */ - private final org.eclipse.aether.resolution.ArtifactResult artifactResult; - - /** - * @param artifactResult - * {@link ArtifactResult} - */ - M31ArtifactResult(org.eclipse.aether.resolution.ArtifactResult artifactResult) { - this.artifactResult = artifactResult; - } - - @Override - public org.apache.maven.artifact.Artifact getArtifact() { - return RepositoryUtils.toArtifact(artifactResult.getArtifact()); - } - } -} diff --git a/maven/src/site/markdown/index.md.vm b/maven/src/site/markdown/index.md.vm index 2284ba43e98..19a3200d888 100644 --- a/maven/src/site/markdown/index.md.vm +++ b/maven/src/site/markdown/index.md.vm @@ -1,7 +1,7 @@ Usage ====================== Dependency-check-maven is very simple to utilize and can be used as a stand-alone -plug-in or as part of the site plug-in. The plug-in requires Maven 3.6.3 or higher. +plug-in or as part of the site plug-in. The plug-in requires Maven 3.8.1 or higher. It is important to understand that the first time this task is executed it may take 20 minutes or more as it downloads and processes the data from the National diff --git a/pom.xml b/pom.xml index ac653f543a5..656f0da8d83 100644 --- a/pom.xml +++ b/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long org.owasp dependency-check-parent - 12.2.3-SNAPSHOT + 13.0.0-SNAPSHOT pom diff --git a/src/site/markdown/index.md b/src/site/markdown/index.md index f240dc4f19a..2e723419055 100644 --- a/src/site/markdown/index.md +++ b/src/site/markdown/index.md @@ -31,7 +31,7 @@ OWASP dependency-check's core analysis engine can be used as: - [Command Line Tool](dependency-check-cli/index.html) - [Gradle Plugin](dependency-check-gradle/index.html) - [Jenkins Plugin](dependency-check-jenkins/index.html) -- [Maven Plugin](dependency-check-maven/index.html) - Maven 3.6.3 or newer required +- [Maven Plugin](dependency-check-maven/index.html) - Maven 3.8.1 or newer required Unofficial (Not endorsed by OWASP) - [SBT Plugin](https://github.com/nMoncho/sbt-dependency-check) diff --git a/utils/pom.xml b/utils/pom.xml index f6bbb02ad57..81fcc2774c2 100644 --- a/utils/pom.xml +++ b/utils/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 12.2.3-SNAPSHOT + 13.0.0-SNAPSHOT dependency-check-utils