Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Regression: DependencyCheck is once again Maven 3.1+ only #1313

Closed
aikebah opened this issue May 31, 2018 · 10 comments
Closed

Regression: DependencyCheck is once again Maven 3.1+ only #1313

aikebah opened this issue May 31, 2018 · 10 comments

Comments

@aikebah
Copy link
Collaborator

aikebah commented May 31, 2018

As discovered in one of our builds after upgrading from DependencyCheck 3.0.1 to 3.2.1 DependencyCheck has again received some direct dependencies on org.eclipse.aether libraries which causes it to fail when executed on Maven 3.0.

In the past I fixed it this to allow us to upgrade to the latest DependencyCheck and benefit from all other improvements, but since then apparently a regression has entered the maven plugin. Will look into this one myself to see where it was introduced and whether a fix can be made to re-enables running DependencyCheck with maven 3.0.

We have stable projects whose results run in production that require maven 3.0 due to other plugins. We build them periodically to ensure that the build is still stable and none of the used dependencies have known vulnerabilities, but we prefer to not update those projects until functional features are to be added or vulnerabilities are to be fixed. So retaining compatibility with Maven 3.0 is very desirable to us.

The (redacted) symptom indicating the incompatiblity from our Jenkins buildlog:

[ERROR] Failed to execute goal org.owasp:dependency-check-maven:3.2.1:check (default) on project ********: A type incompatibility occured while executing org.owasp:dependency-check-maven:3.2.1:check: org.sonatype.aether.util.DefaultRepositorySystemSession cannot be cast to org.eclipse.aether.RepositorySystemSession

@aikebah
Copy link
Collaborator Author

aikebah commented May 31, 2018

Related to #1054 @jeremylong why did you go back to 3.1.0 rather than 3.0.0 (AFAICT before that DC was compatible with 3.0 series of Maven and even now the prerequisite of DC maven plugin states that it requires a minimum Maven version of 3.0.0)

@jeremylong
Copy link
Owner

Dependency-check requires at least Maven 3.1. This is clearly listed in the documentation: https://jeremylong.github.io/DependencyCheck/dependency-check-maven/index.html. When you say the DC maven plugin states it requires a minimum Maven version of 3.0.0 - I'm assuming you are talking about the <prerequisites><maven>3.0</maven></prerequisites> entry in the Maven pom? That is actually an old (Maven 2) method of indicating the required Maven version to build the project that I missed updating. You can actually see in the parent pom where we use enforcer rules to require a minimum of Maven 3.1: https://github.com/jeremylong/DependencyCheck/blob/master/pom.xml#L488

I believe when trying to solve some dependency resolution errors we ended up having to use the 3.1 API.

@jeremylong
Copy link
Owner

To add - yes, dependency-check previously "worked" with Maven 3.0. To be able to support new versions of Maven we ended up needing to use the 3.1 API.

@aikebah
Copy link
Collaborator Author

aikebah commented Jun 1, 2018

The prerequisites is the way for a plugin to indicate the required maven to run the plugin, see

https://maven.apache.org/ref/3.3.9/maven-model/apidocs/org/apache/maven/model/Prerequisites.html#getMaven()

The abuse of it to (also) indicate the Maven required to build the project is what is deprecated.

I have not seen any issues for the newer versions of Maven with the 3.0 series of the API (been running DC 3.0.1 with a mixture of Maven 3.0.x, 3.3.x and 3.5.x) . What issues were there with the 3.0 series API? (AFAIK the only potential downside is not being able to benefit from new additions to the API in our plugin)

In the past there used to be the org.eclipse vs org.sonatype issue, but that has been fixed with the use of Maven's own 'multi-maven capable magic' libraries for the dependency resolution parts of Maven.

@aikebah
Copy link
Collaborator Author

aikebah commented Jun 1, 2018

The maven plugin that most closely resembles the requirements that DC has on Maven still uses the 3.0 API in there latest version:

https://github.com/apache/maven-dependency-plugin/blob/a86965e65eafc63b74accff6b2fe3563ae40b253/pom.xml#L89

So I fail to see how (if properly coded) the DependencyCheck maven plugin would fail to work correctly in modern Maven versions due to the 3.0 API dependency.

jeremylong added a commit that referenced this issue Jun 2, 2018
@jeremylong
Copy link
Owner

Hans - I apologize. I really shouldn't answer your questions/issues until I've had more coffee and can be sure I'm giving a 100% correct answer. I truly appreciate all the assistance you've given to this project; answering questions, providing PRs, etc. We wouldn't be where we are without your contributions.

So back to the 3.1.0 vs. 3.0.x - reverting to 3.0.5 is easy (I'd rather not go below that due to CVE-2013-0253. However, there appear to have been changes to the logging system from 3.0 to 3.1. While the branch I created maven3.0.5 works in 3.0.5; it doesn't write any debugging or info information to the log.

@jeremylong
Copy link
Owner

See the info on logging here: https://maven.apache.org/maven-logging.html

@aikebah
Copy link
Collaborator Author

aikebah commented Jun 7, 2018

I see, that makes it worse to support below maven 3.1 indeed. The good part is that there is a workaround possible, however I'm not sure if we should really go into that direction to retain compatibility with Maven 3.0.x

To get (debug) logging working on maven 3.0.5:

  • add slf4j-simple as dependency in the dependency-check plugin configuration of the project that is scanned
  • add the -Dorg.slf4j.simpleLogger.defaultLogLevel=debug setting to the mvn command-line when you need the debug level logging.

So feel free to close it as a "won't fix" if you agree that we should not use such wizardry to keep it running on maven 3.0.x (the only item that needs fixing in that case is that the 'prerequisites' should be configured for the correct Maven version, which you already did on master (although the code on the branch, using the maven api version property is the better (future-proof) alternative)).

jeremylong added a commit that referenced this issue Jun 22, 2018
@jeremylong
Copy link
Owner

I would rather not support the 3.0 version of Maven. However, we are now using the maven api version property for the prerequisites element.

@lock
Copy link

lock bot commented Sep 27, 2018

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked and limited conversation to collaborators Sep 27, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

2 participants