feat: Scan Maven Plugins (#5001)

core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java

@@ -211,6 +211,7 @@ public static void mergeDependencies(final Dependency dependency,
         //  we may want to merge project references on virtual dependencies...
         if (dependency.getSha1sum() != null && dependency.getSha1sum().equals(relatedDependency.getSha1sum())) {
             dependency.addAllProjectReferences(relatedDependency.getProjectReferences());
+            dependency.addAllIncludedBy(relatedDependency.getIncludedBy());
         }
         if (dependenciesToRemove != null) {
             dependenciesToRemove.add(relatedDependency);

core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java

@@ -102,6 +102,13 @@ public class Dependency extends EvidenceCollection implements Serializable {
      * A collection of related dependencies.
      */
     private final SortedSet<Dependency> relatedDependencies = new TreeSet<>(Dependency.NAME_COMPARATOR);
+    /**
+     * The set of dependencies that included this dependency (i.e., this is a
+     * transitive dependency because it was included by X). This is a pair where
+     * the left element is the includedBy and the right element is the type
+     * (e.g. buildEnv, plugins).
+     */
+    private final Set<IncludedByReference> includedBy = new HashSet<>();
     /**
      * A list of projects that reference this dependency.
      */
@@ -784,6 +791,46 @@ public synchronized void clearRelatedDependencies() {
         relatedDependencies.clear();
     }
 
+    /**
+     * Get the unmodifiable set of includedBy (the list of parents of this
+     * transitive dependency).
+     *
+     * @return the unmodifiable set of includedBy
+     */
+    public synchronized Set<IncludedByReference> getIncludedBy() {
+        return Collections.unmodifiableSet(new HashSet<>(includedBy));
+    }
+
+    /**
+     * Adds the parent or root of the transitive dependency chain (i.e., this
+     * was included by the parent dependency X).
+     *
+     * @param includedBy a project reference
+     */
+    public synchronized void addIncludedBy(String includedBy) {
+        this.includedBy.add(new IncludedByReference(includedBy, null));
+    }
+
+    /**
+     * Adds the parent or root of the transitive dependency chain (i.e., this
+     * was included by the parent dependency X).
+     *
+     * @param includedBy a project reference
+     * @param type the type of project reference (i.e. 'plugins', 'buildEnv')
+     */
+    public synchronized void addIncludedBy(String includedBy, String type) {
+        this.includedBy.add(new IncludedByReference(includedBy, type));
+    }
+
+    /**
+     * Adds a set of project references.
+     *
+     * @param includedBy a set of project references
+     */
+    public synchronized void addAllIncludedBy(Set<IncludedByReference> includedBy) {
+        this.includedBy.addAll(includedBy);
+    }
+
     /**
      * Get the unmodifiable set of projectReferences.
      *

core/src/main/java/org/owasp/dependencycheck/dependency/IncludedByReference.java

@@ -0,0 +1,73 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2023 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.dependency;
+
+import java.io.Serializable;
+
+/**
+ * POJO to store a reference to the "included by" node in a dependency tree;
+ * where included by is the root node that caused a dependency to be included.
+ *
+ * @author Jeremy Long
+ */
+public class IncludedByReference implements Serializable {
+
+    /**
+     * The serial version UID for serialization.
+     */
+    private static final long serialVersionUID = 4339975160204621746L;
+
+    /**
+     * The reference.
+     */
+    private final String reference;
+    /**
+     * The reference's type.
+     */
+    private final String type;
+
+    /**
+     * Constructs a new reference.
+     *
+     * @param reference the reference
+     * @param type the reference's type
+     */
+    public IncludedByReference(String reference, String type) {
+        this.reference = reference;
+        this.type = type;
+    }
+
+    /**
+     * Get the value of reference.
+     *
+     * @return the value of reference
+     */
+    public String getReference() {
+        return reference;
+    }
+
+    /**
+     * Get the value of type.
+     *
+     * @return the value of type
+     */
+    public String getType() {
+        return type;
+    }
+
+}

core/src/main/resources/schema/dependency-check.2.5.xsd

@@ -195,6 +195,21 @@
                     </xs:sequence>
                 </xs:complexType>
             </xs:element>
+            <xs:element name="includedBy" minOccurs="0" maxOccurs="1">
+                <xs:complexType>
+                    <xs:sequence minOccurs="0" maxOccurs="unbounded">
+                        <xs:element name="reference" minOccurs="0" maxOccurs="unbounded">
+                            <xs:complexType>
+                                <xs:simpleContent>
+                                    <xs:extension base="xs:string">
+                                        <xs:attribute name="type" type="xs:string"/>
+                                    </xs:extension>
+                                </xs:simpleContent>
+                            </xs:complexType>
+                        </xs:element>
+                    </xs:sequence>
+                </xs:complexType>
+            </xs:element>
             <xs:element name="relatedDependencies" minOccurs="0" maxOccurs="1">
                 <xs:complexType>
                     <xs:sequence minOccurs="0" maxOccurs="unbounded">

core/src/main/resources/templates/htmlReport.vsl

@@ -605,6 +605,28 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
             .underline {
                 text-decoration: underline;
             }
+            .tooltip {
+              position: relative;
+              display: inline-block;
+              border-bottom: 1px dotted black;
+            }
+
+            .tooltip .tooltiptext {
+              visibility: hidden;
+              width: 220px;
+              background-color: #cccccc;
+              text-align: center;
+              border-radius: 6px;
+              padding: 5px 0;
+
+              /* Position the tooltip */
+              position: absolute;
+              z-index: 1;
+            }
+
+            .tooltip:hover .tooltiptext {
+              visibility: visible;
+            }
         </style>
     </head>
     <body>
@@ -815,10 +837,7 @@ Getting Help: <a href="https://github.com/jeremylong/DependencyCheck/issues" tar
                             <b>SHA256:</b>$enc.html($dependency.Sha256sum)
                             #end
                             #if ($dependency.projectReferences.size()==1)
-                                <br/><b>Referenced In Project/Scope:</b>
-                                #foreach($ref in $dependency.projectReferences)
-                                    $enc.html($ref)
-                                #end
+                                <br/><b>Referenced In Project/Scope:</b> $enc.html($dependency.projectReferences.iterator().next())
                             #end
                             #if ($dependency.projectReferences.size()>1)
                                 <br/><b>Referenced In Projects/Scopes:</b><ul>
@@ -827,6 +846,17 @@ Getting Help: <a href="https://github.com/jeremylong/DependencyCheck/issues" tar
                                 #end
                                 </ul>
                             #end
+                            #if ($dependency.includedBy.size()==1)
+                                #set($incBy=$dependency.includedBy.iterator().next())
+                                <br/><span class="tooltip"><span class="tooltiptext">$enc.html($dependency.DisplayFileName) is in the transitive dependency tree of the listed items.</span><b>Included by:</b></span> $enc.html($incBy.getReference())#if($incBy.getType()) ($enc.html($incBy.getType()))#end
+                            #end
+                            #if ($dependency.includedBy.size()>1)
+                                <br/><span class="tooltip"><span class="tooltiptext">$enc.html($dependency.DisplayFileName) is in the transitive dependency tree of the listed items.</span><b>Included by:</b></span><ul>
+                                #foreach($parent in $dependency.includedBy)
+                                    <li>$enc.html($parent.getReference())#if($parent.getType()) ($enc.html($parent.getType()))#end</li>
+                                #end
+                                </ul>
+                            #end
                         </p>
                         #set($cnt=$cnt+1)
                         <h4 id="header$cnt" class="subsectionheader expandable expandablesubsection white">Evidence</h4>
@@ -1033,11 +1063,32 @@ Getting Help: <a href="https://github.com/jeremylong/DependencyCheck/issues" tar
                                     #end
                                 #end
                                     <b>File&nbsp;Path:</b>&nbsp;$enc.html($dependency.FilePath)<br/>
-                                    #if(!$dependency.isVirtual())
+                                #if(!$dependency.isVirtual())
                                     <b>MD5:</b>&nbsp;$enc.html($dependency.Md5sum)<br/>
                                     <b>SHA1:</b>&nbsp;$enc.html($dependency.Sha1sum)<br/>
                                     <b>SHA256:</b>&nbsp;$enc.html($dependency.Sha256sum)
+                                #end
+                                #if ($dependency.projectReferences.size()==1)
+                                    <br/><b>Referenced In Project/Scope:</b> $enc.html($dependency.projectReferences.iterator().next())
+                                #end
+                                #if ($dependency.projectReferences.size()>1)
+                                    <br/><b>Referenced In Projects/Scopes:</b><ul>
+                                    #foreach($ref in $dependency.projectReferences)
+                                        <li>$enc.html($ref)</li>
+                                    #end
+                                    </ul>
+                                #end
+                                #if ($dependency.includedBy.size()==1)
+                                    #set($incBy=$dependency.includedBy.iterator().next())
+                                    <br/><span class="tooltip"><span class="tooltiptext">$enc.html($dependency.DisplayFileName) is in the transitive dependency tree of the listed items.</span><b>Included by:</b></span> $enc.html($incBy.getReference())#if($incBy.getType()) ($enc.html($incBy.getType()))#end
+                                #end
+                                #if ($dependency.includedBy.size()>1)
+                                    <br/><b>Included by:</b><ul>
+                                    #foreach($parent in $dependency.includedBy)
+                                        <li>$enc.html($parent.getReference())#if($parent.getType()) ($enc.html($parent.getType()))#end</li>
                                     #end
+                                    </ul>
+                                #end
                                 </p>
                                 #set($cnt=$cnt+1)
                                 <h4 id="header$cnt" class="subsectionheader expandable expandablesubsection white">Evidence</h4>

core/src/main/resources/templates/jenkinsReport.vsl

@@ -627,12 +627,13 @@ Getting Help: <a href="https://github.com/jeremylong/DependencyCheck/issues" tar
                                 </ul>
                             #end
                             #if ($dependency.includedBy && $dependency.includedBy.size()==1)
-                                <br/><span class="tooltip"><span class="tooltiptext">$enc.html($dependency.DisplayFileName) is in the transitive dependency tree of the listed items.</span><b>Included by:</b></span> $enc.html($dependency.includedBy.iterator().next())
+                                #set($incBy=$dependency.includedBy.iterator().next())
+                                <br/><span class="tooltip"><span class="tooltiptext">$enc.html($dependency.DisplayFileName) is in the transitive dependency tree of the listed items.</span><b>Included by:</b></span> $enc.html($incBy.getReference())#if($incBy.getType()) ($enc.html($incBy.getType()))#end
                             #end
                             #if ($dependency.includedBy && $dependency.includedBy.size()>1)
                                 <br/><span class="tooltip"><span class="tooltiptext">$enc.html($dependency.DisplayFileName) is in the transitive dependency tree of the listed items.</span><b>Included by:</b></span><ul>
                                 #foreach($parent in $dependency.includedBy)
-                                    <li>$enc.html($parent)</li>
+                                    <li>$enc.html($parent.getReference())#if($parent.getType()) ($enc.html($parent.getType()))#end</li>
                                 #end
                                 </ul>
                             #end

core/src/main/resources/templates/jsonReport.vsl

@@ -70,6 +70,14 @@
             #end
             ]
             #end
+            #if ($dependency.includedBy.size()>0)
+            ,"includedBy": [
+            #foreach($ref in $dependency.includedBy)
+                #if($foreach.count > 1),#end
+                { "reference":"$enc.json($ref.getReference())"#if($ref.getType()),"type":"$enc.json($ref.getType())"#end }
+            #end
+            ]
+            #end
             #if ($dependency.getRelatedDependencies().size()>0)
             ,"relatedDependencies": [
                 #foreach($related in $dependency.getRelatedDependencies()) #if($foreach.count > 1),#end {

core/src/main/resources/templates/xmlReport.vsl

@@ -89,6 +89,13 @@ Copyright (c) 2018 Jeremy Long. All Rights Reserved.
 #end
             </projectReferences>
 #end
+#if ($dependency.includedBy.size()>0)
+            <includedBy>
+#foreach($ref in $dependency.includedBy)
+                <reference#if($ref.getType()) type="$enc.xml($ref.getType())"#end>$enc.xml($ref.getReference())</reference>
+#end
+            </includedBy>
+#end
 #if ($dependency.getRelatedDependencies().size()>0)
             <relatedDependencies>
 #foreach($related in $dependency.getRelatedDependencies())

maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java

@@ -96,6 +96,24 @@ protected ExceptionCollection scanDependencies(final Engine engine) throws MojoE
         return exCol;
     }
 
+    /**
+     * Scans the plugins of the project.
+     *
+     * @param engine the engine used to perform the scanning
+     * @param exCollection the collection of exceptions that might have occurred
+     * previously
+     * @return a collection of exceptions
+     * @throws MojoExecutionException thrown if a fatal exception occurs
+     */
+    @Override
+    protected ExceptionCollection scanPlugins(final Engine engine, final ExceptionCollection exCollection) throws MojoExecutionException {
+        ExceptionCollection exCol = scanPlugins(getProject(), engine, null);
+        for (MavenProject childProject : getDescendants(this.getProject())) {
+            exCol = scanPlugins(childProject, engine, exCol);
+        }
+        return exCol;
+    }
+
     /**
      * Returns a set containing all the descendant projects of the given
      * project.