I''m using the Maven Plugin of the OWASP Dependency Check in a multimodule project.
Currently, the XML report provided by the dependency check only contains the below information, which doesn't include the "Component" version for which we are doing the scan.
Is there is any way to include it in the report we generate . (In this case it would be parent.version)
<projectInfo>
<name>Component</name>
<reportDate>2017-02-17T15:57:38.041+0530</reportDate>
<credits>This report contains data retrieved from the National Vulnerability Database: http://nvd.nist.gov</credits>
</projectInfo>
Adding the pom.xml file here
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<parent>
<groupId>org.comp.carb</groupId>
<artifactId>carb-parent</artifactId>
<version>4.4.12</version>
<relativePath>../parent/pom.xml</relativePath>
</parent>
<modelVersion>4.0.0</modelVersion>
<artifactId>carb-kernel</artifactId>
<packaging>pom</packaging>
<name>comp carb - Parent Maven Project</name>
<description>carb-parent</description>
<url>http://comp.org</url>
<licenses>
<license>
<name>Apache License Version 2.0</name>
<url>http://www.apache.org/licenses/LICENSE-2.0</url>
</license>
</licenses>
<organization>
<name>comp Inc</name>
<url>http://comp.com</url>
</organization>
<issueManagement>
<system>JIRA</system>
<url>https://comp.org/jira/browse/carb</url>
</issueManagement>
<mailingLists>
<mailingList>
<name>comp carb Developers' List</name>
<post>mailto:[email protected]</post>
<archive>http://www.comp.org/mailarchive/carb-dev/</archive>
<subscribe>mailto:[email protected]?subject=subscribe</subscribe>
<unsubscribe>mailto:[email protected]?subject=unsubscribe</unsubscribe>
</mailingList>
<mailingList>
<name>comp Architecture List</name>
<post>mailto:[email protected]</post>
<archive>http://comp.org/mailarchive/architecture/</archive>
<subscribe>mailto:[email protected]?subject=subscribe</subscribe>
<unsubscribe>mailto:[email protected]?subject=unsubscribe</unsubscribe>
</mailingList>
</mailingLists>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-resources-plugin</artifactId>
</plugin>
<plugin>
<groupId>org.apache.felix</groupId>
<artifactId>maven-scr-plugin</artifactId>
</plugin>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>1.4.4.1</version>
<executions>
<execution>
<phase>test</phase>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
<configuration>
<!-- UNCOMMENT BELOW TAG TO FAILD BUILD ON HIGH+ ISSUE -->
<!-- <failBuildOnCVSS>7</failBuildOnCVSS> -->
<format>ALL</format>
<outputDirectory>${project.build.directory}/security</outputDirectory>
<suppressionFile>/home/prakhash/Downloads/MavenBasedSecurityAutomation/carb-kernel/core/org.comp.carb.ui/supress.xml</suppressionFile>
<hintsFile>https://raw.githubusercontent.com/ayomawdb/dependencycheck-rules-test/master/global-dependencycheck-hints.xml</hintsFile>
</configuration>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>xml-maven-plugin</artifactId>
<version>1.0.1</version>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>transform</goal>
</goals>
</execution>
</executions>
<configuration>
<transformationSets>
<transformationSet>
<dir>${project.build.directory}/security</dir>
<outputDir>${project.build.directory}/security</outputDir>
<stylesheet>/home/prakhash/compProducts/DependencyCheck/dependency.xsl</stylesheet>
<parameters>
<parameter>
<name>MyParam</name>
<value>test</value>
</parameter>
</parameters>
<includes>dependency-check-report.xml</includes>
<fileMappers>
<fileMapper implementation="org.codehaus.plexus.components.io.filemappers.FileExtensionMapper">
<targetExtension>.html</targetExtension>
</fileMapper>
</fileMappers>
</transformationSet>
</transformationSets>
</configuration>
</plugin>
</plugins>
<testResources>
<testResource>
<directory>
${basedir}/../../distribution/kernel/carb-home/lib/core/WEB-INF/classes/
</directory>
<includes>
<include>log4j.properties</include>
</includes>
</testResource>
<testResource>
<directory>src/main/java</directory>
<includes>
<include>**/*.xml</include>
</includes>
</testResource>
<testResource>
<directory>src/test/resources</directory>
<includes>
<include>**/*.xml</include>
<include>**/*.properties</include>
</includes>
</testResource>
</testResources>
</build>
<modules>
<module>javax.cache</module>
<module>org.comp.carb.tomcat</module>
<module>org.comp.carb.tomcat.ext</module>
<module>org.comp.carb.registry.api</module>
</modules>
</project>
I have checked the source code of dependency-check-maven and unfortunately there is no component version information. See the following xsd snippet from source code,
<xs:element name="projectInfo">
<xs:complexType>
<xs:sequence>
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="reportDate" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="credits" type="xs:string" minOccurs="1" maxOccurs="1" />
</xs:sequence>
</xs:complexType>
</xs:element>
Although when you generate mvn site, it has complete context with component version. Logically speaking, this is what you will actually do when generating report. XML reports is not meant for human consumption.
You can raise an enhancement request if you think this is a valid requirement for you.