0
我在多模塊項目中使用OWASP依賴項檢查的Maven插件。OWASP依賴關係檢查:將modelVersion版本添加到依賴關係檢查報告
當前,依賴項檢查提供的XML報告僅包含以下信息,其中不包含我們正在執行掃描的「Component」版本。
是否有任何方法將其包含在我們生成的報告中。 (在這種情況下,將parent.version)
<projectInfo>
<name>Component</name>
<reportDate>2017-02-17T15:57:38.041+0530</reportDate>
<credits>This report contains data retrieved from the National Vulnerability Database: http://nvd.nist.gov</credits>
</projectInfo>
添加pom.xml文件在這裏
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<parent>
<groupId>org.comp.carb</groupId>
<artifactId>carb-parent</artifactId>
<version>4.4.12</version>
<relativePath>../parent/pom.xml</relativePath>
</parent>
<modelVersion>4.0.0</modelVersion>
<artifactId>carb-kernel</artifactId>
<packaging>pom</packaging>
<name>comp carb - Parent Maven Project</name>
<description>carb-parent</description>
<url>http://comp.org</url>
<licenses>
<license>
<name>Apache License Version 2.0</name>
<url>http://www.apache.org/licenses/LICENSE-2.0</url>
</license>
</licenses>
<organization>
<name>comp Inc</name>
<url>http://comp.com</url>
</organization>
<issueManagement>
<system>JIRA</system>
<url>https://comp.org/jira/browse/carb</url>
</issueManagement>
<mailingLists>
<mailingList>
<name>comp carb Developers' List</name>
<post>mailto:carb-de[email protected]</post>
<archive>http://www.comp.org/mailarchive/carb-dev/</archive>
<subscribe>mailto:[email protected]?subject=subscribe</subscribe>
<unsubscribe>mailto:[email protected]?subject=unsubscribe</unsubscribe>
</mailingList>
<mailingList>
<name>comp Architecture List</name>
<post>mailto:[email protected]</post>
<archive>http://comp.org/mailarchive/architecture/</archive>
<subscribe>mailto:[email protected]?subject=subscribe</subscribe>
<unsubscribe>mailto:[email protected]?subject=unsubscribe</unsubscribe>
</mailingList>
</mailingLists>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-resources-plugin</artifactId>
</plugin>
<plugin>
<groupId>org.apache.felix</groupId>
<artifactId>maven-scr-plugin</artifactId>
</plugin>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>1.4.4.1</version>
<executions>
<execution>
<phase>test</phase>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
<configuration>
<!-- UNCOMMENT BELOW TAG TO FAILD BUILD ON HIGH+ ISSUE -->
<!-- <failBuildOnCVSS>7</failBuildOnCVSS> -->
<format>ALL</format>
<outputDirectory>${project.build.directory}/security</outputDirectory>
<suppressionFile>/home/prakhash/Downloads/MavenBasedSecurityAutomation/carb-kernel/core/org.comp.carb.ui/supress.xml</suppressionFile>
<hintsFile>https://raw.githubusercontent.com/ayomawdb/dependencycheck-rules-test/master/global-dependencycheck-hints.xml</hintsFile>
</configuration>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>xml-maven-plugin</artifactId>
<version>1.0.1</version>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>transform</goal>
</goals>
</execution>
</executions>
<configuration>
<transformationSets>
<transformationSet>
<dir>${project.build.directory}/security</dir>
<outputDir>${project.build.directory}/security</outputDir>
<stylesheet>/home/prakhash/compProducts/DependencyCheck/dependency.xsl</stylesheet>
<parameters>
<parameter>
<name>MyParam</name>
<value>test</value>
</parameter>
</parameters>
<includes>dependency-check-report.xml</includes>
<fileMappers>
<fileMapper implementation="org.codehaus.plexus.components.io.filemappers.FileExtensionMapper">
<targetExtension>.html</targetExtension>
</fileMapper>
</fileMappers>
</transformationSet>
</transformationSets>
</configuration>
</plugin>
</plugins>
<testResources>
<testResource>
<directory>
${basedir}/../../distribution/kernel/carb-home/lib/core/WEB-INF/classes/
</directory>
<includes>
<include>log4j.properties</include>
</includes>
</testResource>
<testResource>
<directory>src/main/java</directory>
<includes>
<include>**/*.xml</include>
</includes>
</testResource>
<testResource>
<directory>src/test/resources</directory>
<includes>
<include>**/*.xml</include>
<include>**/*.properties</include>
</includes>
</testResource>
</testResources>
</build>
<modules>
<module>javax.cache</module>
<module>org.comp.carb.tomcat</module>
<module>org.comp.carb.tomcat.ext</module>
<module>org.comp.carb.registry.api</module>
</modules>
</project>
你能分享你的pom.xml嗎?或者至少你已經使用這個插件的片段。 – GauravJ
在問題 – Prakhash
中增加了pom.xml你可以運行帶聚合目標而不是檢查的插件嗎? – GauravJ