Re: Transitive dependencies starting from WAR files

2016-05-25 Thread Jeremy Long 
Have you considered using a tool like dependency-check-maven

(see the dependency-check site
 for more details about the
tool and see a sample report
).

--Jeremy

On Tue, May 24, 2016 at 8:07 AM, Hostettler, Steve <
steve.hostett...@wolterskluwer.com> wrote:

> Hi,
>
> Our solutions is composed of different war files. I would like, starting
> from the released artifacts that we deliver to our customer, to generate a
> dependency list.
> The goal is to be able to present an exhaustive list of dependencies we
> are relying on along with their licenses.
>
> The org.apache.maven.plugins:maven-dependency-plugin does not help for it
> does not display War dependencies.
>
> I would prefer reusing an existing plugin but in the worst case I can also
> write my own plugin for that.
> Have you any suggestion on how to tackle this problem?
>
> Many thanks in advance for your help.
> Steve
>
>

aggregation and dependency resolution

2015-11-05 Thread Jeremy Long 
I have been struggling with creating an aggregate goal that successfully works
and I was hoping someone on this list could help. The plugin is
dependency-check-maven <
https://github.com/jeremylong/DependencyCheck/tree/master/dependency-check-maven
>; it performs identification (CPE ) and
known vulnerability (CVE ) reporting on dependencies
used by the project.

In order to perform CPE identification, the plugin needs maven to resolve each
modules’ dependencies. If we have a simple multi-module project:

Parent
-Child1
-Child2

If one defines the aggregate goal in the Parent, when the plugin
executes dependency
resolution (obviously) hasn’t executed on the child modules. As such, my
plugin is unable analyze the dependencies of the child modules.

I am currently using a hack, which turns out to be broken, that waits until the
plugin executes in the last module in the reactor and then builds the aggregate
report and over-writes the blank report that was generated when Parent was
processed. This “worked” in some cases, but fails for anything beyond
site:site. Running site:stage, due to execution order, would copy the blank
report into the staging directory prior to the correct report being
generated.

Does anyone have any suggestions for building an aggregate goal that requires
dependency resolution of all child modules? Is there a convenient API that
I am missing to trigger dependency resolution in child modeules?

Thanks in advance,

Jeremy

Re: Maven, Dependencies and Vulnerabilities

2014-09-30 Thread Jeremy Long 
There are commercial solutions (sonatype, contrast, blackduck, palamida,
etc.) and FOSS solutions (dependency-check, victims, retire.js, etc.) to
identify and report on known vulnerabilities. I would recommend looking at
these solutions (note, I am the main contributed to dependency-check).

A better solution for the POM modification would be to add a CPE
identifier. This would also be a great entry for a jar file's manifest. CPE
identifiers can be requested even if there are no known CVEs, but the CPE
can be used to lookup the related CVEs.

-jeremy
@ctxt
On Sep 30, 2014 2:45 PM, David Dillard ddill...@symantec.com wrote:

 Hi,

 I've been working on an internal presentation on how letting Maven's
 dependency mediation feature select versions of transitive dependencies can
 introduce vulnerabilities into a product and how to deal with that
 problem.  Unfortunately, it's a very manual process and I was thinking that
 perhaps changes could be made to Maven that would provide better
 automation.  To that end I'm wondering if the team has ever considered
 adding a section to the POM that would list significant changes in that
 release.  This would include a list of vulnerabilities fixed (e.g.
 CVE--) or serious bugs fixed.  Each one could include a known set
 of versions affected (ala how CVEs work today) thus allowing tooling to
 say: the version of artifact XYZ you're using has a known vulnerability,
 would you like to upgrade to this new version with that vuln fixed?

 On a related note, has a different dependency mediation system ever been
 considered (as an option), e.g. latest version or latest version on a
 branch?


 Thanks,

 David

Re: Jar file not in maven

2013-01-29 Thread Jeremy Long 
One solution I've seen people use is outlined here:
http://blog.dub.podval.org/2010/01/maven-in-project-repository.html

--Jeremy

On Tue, Jan 29, 2013 at 11:16 AM, Kristian Lind klpc...@gmail.com wrote:

 Hi. I have a java project that uses maven.
 I have some jar files that I want to use in the project, and they are not
 in maven repo.
 Can I make a maven dependency to these jar files ? I do not have a local
 maven repo.

 Kris