Enable running DependencyCheck on Maven 3.0

dependency-check-maven/pom.xml

@@ -40,7 +40,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
         <version.maven-plugin-plugin>3.5</version.maven-plugin-plugin>
     </properties>
     <prerequisites>
-        <maven>3.1</maven>
+        <maven>3.0</maven>
     </prerequisites>
     <build>
         <resources>
@@ -115,7 +115,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
                         <configuration>
                             <rules>
                                 <requireMavenVersion>
-                                    <version>[3.1,]</version>
+                                    <version>[3.0,]</version>
                                 </requireMavenVersion>
                             </rules>
                             <fail>true</fail>
@@ -224,6 +224,11 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
             <artifactId>maven-plugin-testing-harness</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.apache.maven.shared</groupId>
+            <artifactId>maven-artifact-transfer</artifactId>
+            <version>0.9.0</version>
+        </dependency>
     </dependencies>
     <profiles>
         <profile>

dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java

@@ -26,28 +26,29 @@ import java.io.InputStream;
 import java.io.ObjectOutputStream;
 import java.util.List;
 import java.util.Locale;
-import org.eclipse.aether.artifact.Artifact;
+import org.apache.maven.artifact.Artifact;
+import org.apache.maven.artifact.repository.ArtifactRepository;
 import org.apache.maven.doxia.sink.Sink;
+import org.apache.maven.execution.MavenSession;
 import org.apache.maven.plugin.AbstractMojo;
 import org.apache.maven.plugin.MojoExecutionException;
 import org.apache.maven.plugin.MojoFailureException;
 import org.apache.maven.plugins.annotations.Component;
 import org.apache.maven.plugins.annotations.Parameter;
+import org.apache.maven.project.DefaultProjectBuildingRequest;
 import org.apache.maven.project.MavenProject;
+import org.apache.maven.project.ProjectBuildingRequest;
 import org.apache.maven.reporting.MavenReport;
 import org.apache.maven.reporting.MavenReportException;
 import org.apache.maven.settings.Proxy;
 import org.apache.maven.settings.Server;
+import org.apache.maven.shared.artifact.ArtifactCoordinate;
+import org.apache.maven.shared.artifact.TransferUtils;
+import org.apache.maven.shared.artifact.resolve.ArtifactResolver;
+import org.apache.maven.shared.artifact.resolve.ArtifactResolverException;
 import org.apache.maven.shared.dependency.graph.DependencyGraphBuilder;
 import org.apache.maven.shared.dependency.graph.DependencyGraphBuilderException;
 import org.apache.maven.shared.dependency.graph.DependencyNode;
-import org.eclipse.aether.RepositorySystem;
-import org.eclipse.aether.RepositorySystemSession;
-import org.eclipse.aether.artifact.DefaultArtifact;
-import org.eclipse.aether.repository.RemoteRepository;
-import org.eclipse.aether.resolution.ArtifactRequest;
-import org.eclipse.aether.resolution.ArtifactResolutionException;
-import org.eclipse.aether.resolution.ArtifactResult;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
@@ -108,23 +109,19 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
     @Parameter(readonly = true, required = true, property = "reactorProjects")
     private List<MavenProject> reactorProjects;
     /**
-     * The entry point to Aether, i.e. the component doing all the work.
+     * The entry point towards a Maven version independent way of resolving artifacts (handles both Maven 3.0 sonatype and Maven 3.1+ eclipse Aether implementations).
      */
     @Component
-    private RepositorySystem repoSystem;
+    private ArtifactResolver artifactResolver;
+
+    @Parameter( defaultValue = "${session}", readonly = true, required = true )
+    protected MavenSession session;
 
    /**
-     * The current repository/network configuration of Maven.
+     * Remote repositories which will be searched for artifacts.
      */
-    @Parameter(defaultValue = "${repositorySystemSession}", readonly = true)
+    @Parameter( defaultValue = "${project.remoteArtifactRepositories}", readonly = true, required = true )
-    private RepositorySystemSession repoSession;
+    private List<ArtifactRepository> remoteRepositories;
-
-    /**
-     * The project's remote repositories to use for the resolution of plug-ins
-     * and their dependencies.
-     */
-    @Parameter(defaultValue = "${project.remotePluginRepositories}", readonly = true)
-    private List<RemoteRepository> remoteRepos;
 
     /**
      * Component within Maven to build the dependency graph.
@@ -629,7 +626,8 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
     protected ExceptionCollection scanArtifacts(MavenProject project, Engine engine) {
         try {
             final DependencyNode dn = dependencyGraphBuilder.buildDependencyGraph(project, null, reactorProjects);
-            return collectDependencies(engine, project, dn.getChildren());
+            final ProjectBuildingRequest buildingRequest = newResolveArtifactProjectBuildingRequest();
+            return collectDependencies(engine, project, dn.getChildren(), buildingRequest);
         } catch (DependencyGraphBuilderException ex) {
             final String msg = String.format("Unable to build dependency graph on project %s", project.getName());
             getLog().debug(msg, ex);
@@ -648,29 +646,24 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
      * @return a collection of exceptions that may have occurred while resolving
      * and scanning the dependencies
      */
-    private ExceptionCollection collectDependencies(Engine engine, MavenProject project, List<DependencyNode> nodes) {
+    private ExceptionCollection collectDependencies(Engine engine, MavenProject project, List<DependencyNode> nodes, ProjectBuildingRequest buildingRequest) {
         ExceptionCollection exCol = null;
         for (DependencyNode dependencyNode : nodes) {
-            exCol = collectDependencies(engine, project, dependencyNode.getChildren());
+            exCol = collectDependencies(engine, project, dependencyNode.getChildren(), buildingRequest);
             if (excludeFromScan(dependencyNode.getArtifact().getScope())) {
                 continue;
             }
             try {
-                //an alternative request method is documented here
+                final ArtifactCoordinate coordinate = TransferUtils.toArtifactCoordinate(dependencyNode.getArtifact());
-                // https://www.mirkosertic.de/wordpress/2015/12/how-to-download-maven-artifacts-with-maven-3-1-and-eclipse-aether/
+                final Artifact result = artifactResolver.resolveArtifact( buildingRequest, coordinate ).getArtifact();
-                final ArtifactRequest request = new ArtifactRequest();
+                if (result.isResolved() && result.getFile()!= null) {
-                request.setArtifact(new DefaultArtifact(dependencyNode.getArtifact().getId()));
+                    final List<Dependency> deps = engine.scan(result.getFile().getAbsoluteFile(),
-                request.setRepositories(remoteRepos);
-                final ArtifactResult result = repoSystem.resolveArtifact(repoSession, request);
-                if (result.isResolved() && result.getArtifact() != null && result.getArtifact().getFile() != null) {
-                    final List<Dependency> deps = engine.scan(result.getArtifact().getFile().getAbsoluteFile(),
                             project.getName() + ":" + dependencyNode.getArtifact().getScope());
                     if (deps != null) {
                         if (deps.size() == 1) {
                             final Dependency d = deps.get(0);
                             if (d != null) {
-                                final Artifact a = result.getArtifact();
+                                final MavenArtifact ma = new MavenArtifact(result.getGroupId(), result.getArtifactId(), result.getVersion());
-                                final MavenArtifact ma = new MavenArtifact(a.getGroupId(), a.getArtifactId(), a.getVersion());
                                 d.addAsEvidence("pom", ma, Confidence.HIGHEST);
                                 if (getLog().isDebugEnabled()) {
                                     getLog().debug(String.format("Adding project reference %s on dependency %s",
@@ -689,9 +682,6 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
                             exCol = new ExceptionCollection();
                         }
                         getLog().error(msg);
-                        for (Exception ex : result.getExceptions()) {
-                            exCol.addException(ex);
-                        }
                     }
                 } else {
                     final String msg = String.format("Unable to resolve '%s' in project %s",
@@ -700,11 +690,8 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
                     if (exCol == null) {
                         exCol = new ExceptionCollection();
                     }
-                    for (Exception ex : result.getExceptions()) {
-                        exCol.addException(ex);
                 }
-                }
+            } catch (ArtifactResolverException ex) {
-            } catch (ArtifactResolutionException ex) {
                 if (exCol == null) {
                     exCol = new ExceptionCollection();
                 }
@@ -714,6 +701,20 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
         return exCol;
     }
 
+    /**
+     * @return Returns a new ProjectBuildingRequest populated from the current session and the current project remote
+     *         repositories, used to resolve artifacts.
+     */
+    public ProjectBuildingRequest newResolveArtifactProjectBuildingRequest()
+    {
+        ProjectBuildingRequest buildingRequest =
+            new DefaultProjectBuildingRequest( session.getProjectBuildingRequest() );
+
+        buildingRequest.setRemoteRepositories( remoteRepositories );
+
+        return buildingRequest;
+    }
+
     /**
      * Executes the dependency-check scan and generates the necassary report.
      *

pom.xml

@@ -130,7 +130,7 @@ Copyright (c) 2012 - Jeremy Long
         <slf4j.version>1.7.23</slf4j.version>
         <logback.version>1.1.9</logback.version>
         <!-- Note that Maven will use classes from the distro, ignoring declared dependencies for Maven core... -->
-        <maven.api.version>3.3.9</maven.api.version>
+        <maven.api.version>3.0</maven.api.version>
         <reporting.checkstyle-plugin.version>2.17</reporting.checkstyle-plugin.version>
         <reporting.cobertura-plugin.version>2.7</reporting.cobertura-plugin.version>
         <reporting.pmd-plugin.version>3.6</reporting.pmd-plugin.version>