Better support for transitive deps in Maven/Java (pom.xml) #35
Comments
inferno-chromium
changed the title
|
I can't find any documentation on the Maven integration for the scanner. Can anyone point me to it? Or is current "Maven"-support limited to letting the command-line tool read pom.xml files and scan those? Hope there will be ecosystem-native tools as well, like OWASP's Dependency Check Maven-plugin. |
|
@oliverchang Can data from deps.dev be used to resolve transitive dependencies from direct dependencies identified from |
|
Could it have something to with an effective pom? https://maven.apache.org/plugins/maven-help-plugin/effective-pom-mojo.html https://medium.com/@harun_ergul/what-is-effective-pom-5c278fe53031 |
|
|
|
Also there's a need to configure maven profiles, as some project build different artifacts based on the profile, see https://github.com/GoogleCloudDataproc/spark-bigquery-connector for example |
|
Based on the suggestion by @h4sh5 above, my current work-around is to run something like this: mvn help:effective-pom -Doutput="${TMPDIR}/pom.xml"
osv-scanner --lockfile="${TMPDIR}/pom.xml"Edit: I found this was not really capturing all the transitive dependencies I was interested in. See my follow-up comment below. |
|
Thanks for the suggestions all! I think it may make sense to support a mode to use ecosystem-specifc tooling (e.g. We're also exploring approaches using deps.dev as well to resolve this natively without requiring external tooling. We'll keep this bug updated with any new info! |
|
I found that, since I really care about the dependencies (including transitive dependencies) that will be on the classpath at runtime, and required by any consuming packages, the approach that actually works for me is to generate a Software Bill of Materials (SBOM) and run OSV-Scanner against that SBOM instead of the POM file. I currently have the CycloneDX Maven plugin configured in a profile within my POM file: <profile>
<id>sbom</id>
<build>
<plugins>
<plugin>
<groupId>org.cyclonedx</groupId>
<artifactId>cyclonedx-maven-plugin</artifactId>
<version>2.7.9</version>
<configuration>
<includeCompileScope>true</includeCompileScope>
<includeProvidedScope>false</includeProvidedScope>
<includeRuntimeScope>true</includeRuntimeScope>
<includeSystemScope>false</includeSystemScope>
<includeTestScope>false</includeTestScope>
</configuration>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>makeAggregateBom</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>I use this to generate the SBOM, then run OSV-Scanner run against the SBOM: mvn --activate-profiles sbom -DskipTests install
osv-scanner --sbom=target/bom.jsonIf anyone has a better solution, I would really like to hear it. |
|
We are working on this now :) This is dependent on some other changes coming along the way to help us better parse and resolve pom.xml files. Stay tuned! |
|
Hi @oliverchang, are there any news re Maven support for transitive dependencies? |
|
Hi @LironJit, we are actively working on this! The changes to resolve Maven projects are on their way. :) |
|
@cuixq with https://github.com/google/deps.dev/tree/main/util/resolve/maven now being available, do we just need to integrate that into OSV-Scanner? |
|
@oliverchang yes, I think so - I just started working on this! |
The new Maven lockfile extractor aims to resolve the full Maven dependency graph to provide better transitive support #35. This is an experimental feature for now. This PR uses deps.dev util package to parse Maven pom.xml, also calls deps.dev API for available versions when resolving a range requirement.
Issue #35 In this PR, the new Maven extractor invokes Maven resolver to compute the transitive dependencies of a Maven pom.xml. Since managed dependencies are not actually being depended on, they are not in the resolved dependency graph, and thus they are not included in the scan results.
The new Maven lockfile extractor aims to resolve the full Maven dependency graph to provide better transitive support google#35. This is an experimental feature for now. This PR uses deps.dev util package to parse Maven pom.xml, also calls deps.dev API for available versions when resolving a range requirement.
Issue google#35 In this PR, the new Maven extractor invokes Maven resolver to compute the transitive dependencies of a Maven pom.xml. Since managed dependencies are not actually being depended on, they are not in the resolved dependency graph, and thus they are not included in the scan results.
#35 In this PR, `MavenResolverExtrator` is invoked when scanning pom.xml to report vulnerabilities in transitive dependencies. However, the default Maven extractor is still being used with offline mode.
Currently pom.xml support does not support resolving the full dependency graph.
The text was updated successfully, but these errors were encountered: