mirror of
https://github.com/ysoftdevs/DependencyCheck.git
synced 2026-03-20 16:24:11 +01:00
final commit to patch issue #185
Former-commit-id: 1e77bec21239a0ea228795df7bfa5678d9930d6c
This commit is contained in:
Jeremy Long
@@ -130,7 +130,6 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
|
|||||||
} else if (cpeIdentifiersMatch(dependency, nextDependency)
|
} else if (cpeIdentifiersMatch(dependency, nextDependency)
|
||||||
&& hasSameBasePath(dependency, nextDependency)
|
&& hasSameBasePath(dependency, nextDependency)
|
||||||
&& fileNameMatch(dependency, nextDependency)) {
|
&& fileNameMatch(dependency, nextDependency)) {
|
||||||
|
|
||||||
if (isCore(dependency, nextDependency)) {
|
if (isCore(dependency, nextDependency)) {
|
||||||
mergeDependencies(dependency, nextDependency, dependenciesToRemove);
|
mergeDependencies(dependency, nextDependency, dependenciesToRemove);
|
||||||
} else {
|
} else {
|
||||||
@@ -163,7 +162,9 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
|
|||||||
dependency.addRelatedDependency(i.next());
|
dependency.addRelatedDependency(i.next());
|
||||||
i.remove();
|
i.remove();
|
||||||
}
|
}
|
||||||
//dependency.addAllProjectReferences(relatedDependency.getProjectReferences());
|
if (dependency.getSha1sum().equals(relatedDependency.getSha1sum())) {
|
||||||
|
dependency.addAllProjectReferences(relatedDependency.getProjectReferences());
|
||||||
|
}
|
||||||
dependenciesToRemove.add(relatedDependency);
|
dependenciesToRemove.add(relatedDependency);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -18,6 +18,7 @@
|
|||||||
package org.owasp.dependencycheck.maven;
|
package org.owasp.dependencycheck.maven;
|
||||||
|
|
||||||
import java.io.File;
|
import java.io.File;
|
||||||
|
import java.io.IOException;
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.Collections;
|
import java.util.Collections;
|
||||||
import java.util.HashMap;
|
import java.util.HashMap;
|
||||||
@@ -72,8 +73,8 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
|
|||||||
final Engine engine = generateDataFile();
|
final Engine engine = generateDataFile();
|
||||||
|
|
||||||
if (getProject() == getReactorProjects().get(getReactorProjects().size() - 1)) {
|
if (getProject() == getReactorProjects().get(getReactorProjects().size() - 1)) {
|
||||||
final Map<MavenProject, Set<MavenProject>> children = buildAggregateInfo();
|
|
||||||
|
|
||||||
|
//ensure that the .ser file was created for each.
|
||||||
for (MavenProject current : getReactorProjects()) {
|
for (MavenProject current : getReactorProjects()) {
|
||||||
final File dataFile = getDataFile(current);
|
final File dataFile = getDataFile(current);
|
||||||
if (dataFile == null) { //dc was never run on this project. write the ser to the target.
|
if (dataFile == null) { //dc was never run on this project. write the ser to the target.
|
||||||
@@ -84,41 +85,36 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
|
|||||||
|
|
||||||
for (MavenProject current : getReactorProjects()) {
|
for (MavenProject current : getReactorProjects()) {
|
||||||
List<Dependency> dependencies = readDataFile(current);
|
List<Dependency> dependencies = readDataFile(current);
|
||||||
final List<MavenProject> childProjects = getAllChildren(current, children);
|
if (dependencies == null) {
|
||||||
|
dependencies = new ArrayList<Dependency>();
|
||||||
//check for orchestration build - execution root with no children or dependencies
|
}
|
||||||
if ((dependencies == null || dependencies.isEmpty()) && childProjects.isEmpty() && current.isExecutionRoot()) {
|
final Set<MavenProject> childProjects = getDescendants(current);
|
||||||
engine.getDependencies().clear();
|
for (MavenProject reportOn : childProjects) {
|
||||||
engine.resetFileTypeAnalyzers();
|
final List<Dependency> childDeps = readDataFile(reportOn);
|
||||||
for (MavenProject mod : getReactorProjects()) {
|
if (childDeps != null && !childDeps.isEmpty()) {
|
||||||
scanArtifacts(mod, engine);
|
LOGGER.fine(String.format("Adding %d dependencies from %s", childDeps.size(), reportOn.getName()));
|
||||||
}
|
dependencies.addAll(childDeps);
|
||||||
engine.analyzeDependencies();
|
} else {
|
||||||
} else {
|
LOGGER.fine(String.format("No dependencies read for %s", reportOn.getName()));
|
||||||
if (dependencies == null) {
|
|
||||||
dependencies = new ArrayList<Dependency>();
|
|
||||||
}
|
|
||||||
for (MavenProject reportOn : childProjects) {
|
|
||||||
final List<Dependency> childDeps = readDataFile(reportOn);
|
|
||||||
if (childDeps != null && !childDeps.isEmpty()) {
|
|
||||||
dependencies.addAll(childDeps);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
engine.getDependencies().clear();
|
|
||||||
engine.getDependencies().addAll(dependencies);
|
|
||||||
final DependencyBundlingAnalyzer bundler = new DependencyBundlingAnalyzer();
|
|
||||||
try {
|
|
||||||
bundler.analyze(null, engine);
|
|
||||||
} catch (AnalysisException ex) {
|
|
||||||
LOGGER.log(Level.WARNING, "An error occured grouping the dependencies; duplicate entries may exist in the report", ex);
|
|
||||||
LOGGER.log(Level.FINE, "Bundling Exception", ex);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
engine.getDependencies().clear();
|
||||||
|
engine.getDependencies().addAll(dependencies);
|
||||||
|
final DependencyBundlingAnalyzer bundler = new DependencyBundlingAnalyzer();
|
||||||
|
try {
|
||||||
|
LOGGER.fine(String.format("Dependency count pre-bundler: %s", engine.getDependencies().size()));
|
||||||
|
bundler.analyze(null, engine);
|
||||||
|
LOGGER.fine(String.format("Dependency count post-bundler: %s", engine.getDependencies().size()));
|
||||||
|
} catch (AnalysisException ex) {
|
||||||
|
LOGGER.log(Level.WARNING, "An error occured grouping the dependencies; duplicate entries may exist in the report", ex);
|
||||||
|
LOGGER.log(Level.FINE, "Bundling Exception", ex);
|
||||||
|
}
|
||||||
|
|
||||||
File outputDir = getCorrectOutputDirectory(current);
|
File outputDir = getCorrectOutputDirectory(current);
|
||||||
if (outputDir == null) {
|
if (outputDir == null) {
|
||||||
//in some regards we shouldn't be writting this, but we are anyway.
|
//in some regards we shouldn't be writting this, but we are anyway.
|
||||||
//we shouldn't write this because nothing is configured to generate this report.
|
//we shouldn't write this because nothing is configured to generate this report.
|
||||||
outputDir = new File(current.getBuild().getOutputDirectory()).getParentFile();
|
outputDir = new File(current.getBuild().getDirectory());
|
||||||
}
|
}
|
||||||
writeReports(engine, current, outputDir);
|
writeReports(engine, current, outputDir);
|
||||||
}
|
}
|
||||||
@@ -128,31 +124,67 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Returns a list containing all the recursive, non-pom children of the given project, never <code>null</code>.
|
* Returns a set containing all the descendant projects of the given project.
|
||||||
*
|
*
|
||||||
* @param project the parent project to collect the child project references
|
* @param project the project for which all descendants will be returned
|
||||||
* @param childMap a map of the parent-child relationships
|
* @return the set of descendant projects
|
||||||
* @return a list of child projects
|
|
||||||
*/
|
*/
|
||||||
protected List<MavenProject> getAllChildren(MavenProject project, Map<MavenProject, Set<MavenProject>> childMap) {
|
protected Set<MavenProject> getDescendants(MavenProject project) {
|
||||||
final Set<MavenProject> children = childMap.get(project);
|
if (project == null) {
|
||||||
if (children == null) {
|
return Collections.emptySet();
|
||||||
return Collections.emptyList();
|
|
||||||
}
|
}
|
||||||
LOGGER.info("Children of " + project.getId());
|
Set<MavenProject> descendants = new HashSet<MavenProject>();
|
||||||
for (String mod : project.getModules()) {
|
int size = 0;
|
||||||
LOGGER.info(" mod: " + mod);
|
LOGGER.fine(String.format("Collecting descendants of %s", project.getName()));
|
||||||
}
|
for (String m : project.getModules()) {
|
||||||
final List<MavenProject> result = new ArrayList<MavenProject>();
|
for (MavenProject mod : getReactorProjects()) {
|
||||||
for (MavenProject child : children) {
|
try {
|
||||||
if (isMultiModule(child)) {
|
File mpp = new File(project.getBasedir(), m);
|
||||||
LOGGER.info("* adding multi-module children " + child.getId());
|
mpp = mpp.getCanonicalFile();
|
||||||
result.addAll(getAllChildren(child, childMap));
|
if (mpp.compareTo(mod.getBasedir()) == 0) {
|
||||||
|
if (descendants.add(mod)) {
|
||||||
|
LOGGER.fine(String.format("Decendent module %s added", mod.getName()));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} catch (IOException ex) {
|
||||||
|
LOGGER.log(Level.FINE, "Unable to determine module path", ex);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
LOGGER.info("* " + child.getId());
|
|
||||||
result.add(child);
|
|
||||||
}
|
}
|
||||||
return result;
|
do {
|
||||||
|
size = descendants.size();
|
||||||
|
for (MavenProject p : getReactorProjects()) {
|
||||||
|
if (project.equals(p.getParent()) || descendants.contains(p.getParent())) {
|
||||||
|
if (descendants.add(p)) {
|
||||||
|
LOGGER.fine(String.format("Decendent %s added", p.getName()));
|
||||||
|
}
|
||||||
|
for (MavenProject modTest : getReactorProjects()) {
|
||||||
|
if (p.getModules() != null && p.getModules().contains(modTest.getName())) {
|
||||||
|
if (descendants.add(modTest)) {
|
||||||
|
LOGGER.fine(String.format("Decendent %s added", modTest.getName()));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
for (MavenProject dec : descendants) {
|
||||||
|
for (String mod : dec.getModules()) {
|
||||||
|
try {
|
||||||
|
File mpp = new File(dec.getBasedir(), mod);
|
||||||
|
mpp = mpp.getCanonicalFile();
|
||||||
|
if (mpp.compareTo(p.getBasedir()) == 0) {
|
||||||
|
if (descendants.add(p)) {
|
||||||
|
LOGGER.fine(String.format("Decendent module %s added", p.getName()));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} catch (IOException ex) {
|
||||||
|
LOGGER.log(Level.FINE, "Unable to determine module path", ex);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} while (size != 0 && size != descendants.size());
|
||||||
|
LOGGER.fine(String.format("%s has %d children", project, descendants.size()));
|
||||||
|
return descendants;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -165,24 +197,6 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
|
|||||||
return "pom".equals(mavenProject.getPackaging());
|
return "pom".equals(mavenProject.getPackaging());
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* Builds the parent-child map.
|
|
||||||
*
|
|
||||||
* @return a map of the parent/child relationships
|
|
||||||
*/
|
|
||||||
private Map<MavenProject, Set<MavenProject>> buildAggregateInfo() {
|
|
||||||
final Map<MavenProject, Set<MavenProject>> parentChildMap = new HashMap<MavenProject, Set<MavenProject>>();
|
|
||||||
for (MavenProject proj : getReactorProjects()) {
|
|
||||||
Set<MavenProject> depList = parentChildMap.get(proj.getParent());
|
|
||||||
if (depList == null) {
|
|
||||||
depList = new HashSet<MavenProject>();
|
|
||||||
parentChildMap.put(proj.getParent(), depList);
|
|
||||||
}
|
|
||||||
depList.add(proj);
|
|
||||||
}
|
|
||||||
return parentChildMap;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Initilizes the engine, runs a scan, and writes the serialized dependencies to disk.
|
* Initilizes the engine, runs a scan, and writes the serialized dependencies to disk.
|
||||||
*
|
*
|
||||||
@@ -216,9 +230,9 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
|
|||||||
engine.resetFileTypeAnalyzers();
|
engine.resetFileTypeAnalyzers();
|
||||||
scanArtifacts(project, engine);
|
scanArtifacts(project, engine);
|
||||||
engine.analyzeDependencies();
|
engine.analyzeDependencies();
|
||||||
File target = this.getCorrectOutputDirectory(project);
|
File target = new File(project.getBuild().getDirectory());
|
||||||
writeDataFile(getProject(), target, engine.getDependencies());
|
writeDataFile(project, target, engine.getDependencies());
|
||||||
showSummary(getProject(), engine.getDependencies());
|
showSummary(project, engine.getDependencies());
|
||||||
checkForFailure(engine.getDependencies());
|
checkForFailure(engine.getDependencies());
|
||||||
return engine;
|
return engine;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -455,7 +455,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
|
|||||||
return (File) obj;
|
return (File) obj;
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
LOGGER.info("Context value not found");
|
LOGGER.fine("Context value not found");
|
||||||
}
|
}
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
@@ -479,7 +479,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
|
|||||||
final MavenArtifact ma = new MavenArtifact(a.getGroupId(), a.getArtifactId(), a.getVersion());
|
final MavenArtifact ma = new MavenArtifact(a.getGroupId(), a.getArtifactId(), a.getVersion());
|
||||||
d.addAsEvidence("pom", ma, Confidence.HIGHEST);
|
d.addAsEvidence("pom", ma, Confidence.HIGHEST);
|
||||||
d.addProjectReference(project.getName());
|
d.addProjectReference(project.getName());
|
||||||
LOGGER.info(String.format("Adding project reference %s on dependency %s", project.getName(), d.getDisplayFileName()));
|
LOGGER.fine(String.format("Adding project reference %s on dependency %s", project.getName(), d.getDisplayFileName()));
|
||||||
if (metadataSource != null) {
|
if (metadataSource != null) {
|
||||||
try {
|
try {
|
||||||
DependencyVersion currentVersion = new DependencyVersion(a.getVersion());
|
DependencyVersion currentVersion = new DependencyVersion(a.getVersion());
|
||||||
@@ -502,7 +502,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
|
|||||||
} else {
|
} else {
|
||||||
final String msg = String.format("More then 1 dependency was identified in first pass scan of '%s:%s:%s'",
|
final String msg = String.format("More then 1 dependency was identified in first pass scan of '%s:%s:%s'",
|
||||||
a.getGroupId(), a.getArtifactId(), a.getVersion());
|
a.getGroupId(), a.getArtifactId(), a.getVersion());
|
||||||
LOGGER.info(msg);
|
LOGGER.fine(msg);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -941,9 +941,6 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
|
|||||||
if (mp.getContextValue(this.getDataFileContextKey()) == null) {
|
if (mp.getContextValue(this.getDataFileContextKey()) == null) {
|
||||||
if (writeTo == null) {
|
if (writeTo == null) {
|
||||||
file = new File(mp.getBuild().getDirectory());
|
file = new File(mp.getBuild().getDirectory());
|
||||||
if ("target".equals(file.getParentFile().getName())) {
|
|
||||||
file = file.getParentFile();
|
|
||||||
}
|
|
||||||
file = new File(file, dataFileName);
|
file = new File(file, dataFileName);
|
||||||
} else {
|
} else {
|
||||||
file = new File(writeTo, dataFileName);
|
file = new File(writeTo, dataFileName);
|
||||||
|
|||||||
Reference in New Issue
Block a user