What does it actually check in Maven projects


#1

Hi there!

i have a question on where DepShield actually looks at when checking maven projects is it the dependencies section of the pom.xml only or also the dependencyManagement section or something completely different.

Reason for asking is I have a GitHub Maven Project which consist only of a couple of pom.xml Files which define dependencyMangement and pluginManagement and Version properties used by them. These are intended to be used as maven parents or as maven bom for other maven projects. The idea behind it is to align 3rdParty dependencies on projects to the sam current veesion. Now I just would like to know that when I enable DepShield for that GitHub Project will it actually file issues to it when there is something in the dependencyMangement section with a Version defined by a property which is vulnerable or does it need a Project using that in ist dependencies section for an issue to be filed.

In my case it would be nice if DepShield would look at the DependencyMangement section.

Url for what I am talking about is GitHub - agilhard-oss/agilhard-align-modules: Maven pom/bom for Dependency Alignment and Maven Project Parents

Kind regards,
Bernd Eilers


#2

Hi Bernd,

Thanks for checking out DepShield. To see what dependencies DepShield would pick up and check you can run ‘mvn dependency:tree’ from the root of the project. This will pick up dependencies in the dependency section for the root project and any sub-modules defined in the aggregation pom.

I forked your project and did the above and no dependencies are currently being picked up as it looks like there are no dependencies declared in any of your pom files.

I see what you’re doing with this project in that you’re defining the tech stack that dependent projects have available to them and to provide some standardization around that.

Right now DepShield evaluates dependencies that would become part of the built artifact.

If you had a sub-module with a pom that declared dependencies for all the ones listed in the dependencyManagement section of the parent pom we would be able to analyze those dependencies.

If you want I can create a pull request for your project with an example of what I’m describing. Let me know.

Hope this helps and thanks again for checking out DepShield.

Russ Jackson
Sr. Software Engineer
Sonatype