i'm使用OWASP依赖项的Maven插件在多模块项目中检查。
当前,依赖项检查提供的XML报告仅包含以下信息,其中不包括我们为扫描进行的"组件"版本。
是否有任何方法可以将其包括在我们生成的报告中。(在这种情况下,它将是parent.version)
<projectInfo>
<name>Component</name>
<reportDate>2017-02-17T15:57:38.041+0530</reportDate>
<credits>This report contains data retrieved from the National Vulnerability Database: http://nvd.nist.gov</credits>
</projectInfo>
在此处添加pom.xml文件
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<parent>
<groupId>org.comp.carb</groupId>
<artifactId>carb-parent</artifactId>
<version>4.4.12</version>
<relativePath>../parent/pom.xml</relativePath>
</parent>
<modelVersion>4.0.0</modelVersion>
<artifactId>carb-kernel</artifactId>
<packaging>pom</packaging>
<name>comp carb - Parent Maven Project</name>
<description>carb-parent</description>
<url>http://comp.org</url>
<licenses>
<license>
<name>Apache License Version 2.0</name>
<url>http://www.apache.org/licenses/LICENSE-2.0</url>
</license>
</licenses>
<organization>
<name>comp Inc</name>
<url>http://comp.com</url>
</organization>
<issueManagement>
<system>JIRA</system>
<url>https://comp.org/jira/browse/carb</url>
</issueManagement>
<mailingLists>
<mailingList>
<name>comp carb Developers' List</name>
<post>mailto:carb-dev@comp.org</post>
<archive>http://www.comp.org/mailarchive/carb-dev/</archive>
<subscribe>mailto:carb-dev-request@comp.org?subject=subscribe</subscribe>
<unsubscribe>mailto:carb-dev-request@comp.org?subject=unsubscribe</unsubscribe>
</mailingList>
<mailingList>
<name>comp Architecture List</name>
<post>mailto:architecture@comp.org</post>
<archive>http://comp.org/mailarchive/architecture/</archive>
<subscribe>mailto:architecture-request@comp.org?subject=subscribe</subscribe>
<unsubscribe>mailto:architecture-request@comp.org?subject=unsubscribe</unsubscribe>
</mailingList>
</mailingLists>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-resources-plugin</artifactId>
</plugin>
<plugin>
<groupId>org.apache.felix</groupId>
<artifactId>maven-scr-plugin</artifactId>
</plugin>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>1.4.4.1</version>
<executions>
<execution>
<phase>test</phase>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
<configuration>
<!-- UNCOMMENT BELOW TAG TO FAILD BUILD ON HIGH+ ISSUE -->
<!-- <failBuildOnCVSS>7</failBuildOnCVSS> -->
<format>ALL</format>
<outputDirectory>${project.build.directory}/security</outputDirectory>
<suppressionFile>/home/prakhash/Downloads/MavenBasedSecurityAutomation/carb-kernel/core/org.comp.carb.ui/supress.xml</suppressionFile>
<hintsFile>https://raw.githubusercontent.com/ayomawdb/dependencycheck-rules-test/master/global-dependencycheck-hints.xml</hintsFile>
</configuration>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>xml-maven-plugin</artifactId>
<version>1.0.1</version>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>transform</goal>
</goals>
</execution>
</executions>
<configuration>
<transformationSets>
<transformationSet>
<dir>${project.build.directory}/security</dir>
<outputDir>${project.build.directory}/security</outputDir>
<stylesheet>/home/prakhash/compProducts/DependencyCheck/dependency.xsl</stylesheet>
<parameters>
<parameter>
<name>MyParam</name>
<value>test</value>
</parameter>
</parameters>
<includes>dependency-check-report.xml</includes>
<fileMappers>
<fileMapper implementation="org.codehaus.plexus.components.io.filemappers.FileExtensionMapper">
<targetExtension>.html</targetExtension>
</fileMapper>
</fileMappers>
</transformationSet>
</transformationSets>
</configuration>
</plugin>
</plugins>
<testResources>
<testResource>
<directory>
${basedir}/../../distribution/kernel/carb-home/lib/core/WEB-INF/classes/
</directory>
<includes>
<include>log4j.properties</include>
</includes>
</testResource>
<testResource>
<directory>src/main/java</directory>
<includes>
<include>**/*.xml</include>
</includes>
</testResource>
<testResource>
<directory>src/test/resources</directory>
<includes>
<include>**/*.xml</include>
<include>**/*.properties</include>
</includes>
</testResource>
</testResources>
</build>
<modules>
<module>javax.cache</module>
<module>org.comp.carb.tomcat</module>
<module>org.comp.carb.tomcat.ext</module>
<module>org.comp.carb.registry.api</module>
</modules>
</project>
我检查了dependency-check-maven的源代码,不幸的是没有组件版本信息。请参阅以下来自源代码的XSD片段
<xs:element name="projectInfo">
<xs:complexType>
<xs:sequence>
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="reportDate" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="credits" type="xs:string" minOccurs="1" maxOccurs="1" />
</xs:sequence>
</xs:complexType>
</xs:element>
尽管当您生成MVN站点时,它具有组件版本的完整上下文。从逻辑上讲,这是您在生成报告时实际上要做的。XML报告并非供人类消费。
,如果您认为这对您来说是有效的要求,则可以提出增强请求。