-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Check Yarn vulnerabilities with aggregate goal of maven plugin #6325
Comments
I tried to make it works on my jenkins instances (using jenkins pipeline). And there is more problems than what I thought. I faced this error (only on jenkins, locally it works):
(My 2 cts : I feel this warn ☝️ should be more verbose (path of yarn, error returns, ...))
In my case Node is also installed by (Why it works locally ? because I have I tried to workaround it in by :
which works !
But I get :
I will probably investigate other vulnerabilities check solution (eclipse-leshan/leshan#1566) |
CycloneDX plugins maybe viable. You can then setup dependency-track to monitor the SBOMs. |
Another option might be to configure the front-end plugin's installation directory: https://github.com/eirslett/frontend-maven-plugin?tab=readme-ov-file#installation-directory Then also configure these to be on the path so that node and yarn. |
I'm not sure how it could help as I can not set nodePath in
I understand that maybe a more future proof approach is to use some tools to generate standard SBOMs, then using other tools to check vulnerabilities from that SBOMs. When you say
|
dependency-track platform |
I understand that you implicitly says that this project (
The "problem" with dependency-track is that I need to deploy it. Maybe It's not a good idea but I was searching more a build tool which give me a list of issue/warning (ideally integrated with maven) |
This is related to #5432 |
does the frontend maven plugin specify the path to node via an ENV variable or config option for yarn? |
It looks like a little bit.
I'm not sure. I think yarn is executed via : The yarn config is created here : Mainly : /**
* The base directory for installing node and npm.
*/
@Parameter(property = "installDirectory", required = false)
protected File installDirectory; |
(On my side I will experiment others tools like trivy) |
One thing you may find with tools like trivy is that some JAR files may not be correctly identified. Problematic JARs would be shaded/uber/one JAR files and possibly those built using something other than Maven (which could be the transitive dependencies used in your app). I'm not saying things won't be identified correctly - I don't use trivy specifically. I have found these to be an issue with other tools so it is something to watch out for. One of the main reasons is that Maven does a great thing by embedding the pom.xml into the JAR which really helps with identification. Other build management tools do not do this. |
Thx for warning me 🙏. As I said ideally, I would like to just use a maven plugin to check dependencies vulnerabilities. But It seems that industry is moving to something like tooling for generating SBOM, then use that SBOM for cheking vulnerability (and also some other task like checking licenses) So I was thinking that I will easily find little specialized tools to generate SBOM and other tools specialized to do vulnerabilities check and some other to do tools check licenses. In my case I find plugin to generate SBOM :
And didn't find a small tool to check vulnerabilities from that SBOM. (Maybe I can use Trivy : https://aquasecurity.github.io/trivy/v0.48/docs/target/sbom/) But it seems there is rather big all-in-one tooling : |
If you ran your build with Can you have the front-end plugin run |
Yes, I can see it : Unfold for full logs[INFO] --- frontend-maven-plugin:1.13.4:yarn (yarn install) @ leshan-bsserver-demo --- [DEBUG] Configuring mojo com.github.eirslett:frontend-maven-plugin:1.13.4:yarn from plugin realm ClassRealm[plugin>com.github.eirslett:frontend-maven-plugin:1.13.4, parent: jdk.internal.loader.ClassLoaders$AppClassLoader@55054057] [DEBUG] Configuring mojo 'com.github.eirslett:frontend-maven-plugin:1.13.4:yarn' with basic configurator --> [DEBUG] (f) project = MavenProject: org.eclipse.leshan:leshan-bsserver-demo:2.0.0-SNAPSHOT @ /home/sbernard/git/leshan/leshan-bsserver-demo/pom.xml [DEBUG] (f) repositorySystemSession = org.eclipse.aether.DefaultRepositorySystemSession@50910df1 [DEBUG] (f) session = org.apache.maven.execution.MavenSession@42373389 [DEBUG] (f) skipTests = true [DEBUG] (f) testFailureIgnore = false [DEBUG] (f) workingDirectory = /home/sbernard/git/leshan/leshan-bsserver-demo/webapp [DEBUG] (f) yarnInheritsProxyConfigFromMaven = true [DEBUG] (f) execution = com.github.eirslett:frontend-maven-plugin:1.13.4:yarn {execution: yarn install} [DEBUG] -- end configuration -- [INFO] Running 'yarn ' in /home/sbernard/git/leshan/leshan-bsserver-demo/webapp [DEBUG] Executing command line [/home/sbernard/git/leshan/leshan-bsserver-demo/webapp/node/yarn/dist/bin/yarn] [INFO] yarn install v1.22.19 [INFO] [1/4] Resolving packages... [INFO] success Already up-to-date. [INFO] Done in 0.23s. [DEBUG] Exit value 0 [INFO] [INFO] --- frontend-maven-plugin:1.13.4:yarn (yarn build) @ leshan-bsserver-demo --- [DEBUG] Configuring mojo com.github.eirslett:frontend-maven-plugin:1.13.4:yarn from plugin realm ClassRealm[plugin>com.github.eirslett:frontend-maven-plugin:1.13.4, parent: jdk.internal.loader.ClassLoaders$AppClassLoader@55054057] [DEBUG] Configuring mojo 'com.github.eirslett:frontend-maven-plugin:1.13.4:yarn' with basic configurator --> [DEBUG] (f) arguments = build [DEBUG] (f) environmentVariables = {MAVEN_OUTPUT_DIR=/home/sbernard/git/leshan/leshan-bsserver-demo/target/classes/webapp, VITE_APP_COMMIT_ID=3c92a00a8aa6b0f83a0bc96d013bcd1a6723f455, VITE_APP_VERSION=2.0.0-SNAPSHOT} [DEBUG] (f) project = MavenProject: org.eclipse.leshan:leshan-bsserver-demo:2.0.0-SNAPSHOT @ /home/sbernard/git/leshan/leshan-bsserver-demo/pom.xml [DEBUG] (f) repositorySystemSession = org.eclipse.aether.DefaultRepositorySystemSession@50910df1 [DEBUG] (f) session = org.apache.maven.execution.MavenSession@42373389 [DEBUG] (f) skipTests = true [DEBUG] (f) testFailureIgnore = false [DEBUG] (f) workingDirectory = /home/sbernard/git/leshan/leshan-bsserver-demo/webapp [DEBUG] (f) yarnInheritsProxyConfigFromMaven = true [DEBUG] (f) execution = com.github.eirslett:frontend-maven-plugin:1.13.4:yarn {execution: yarn build} [DEBUG] -- end configuration -- [INFO] Running 'yarn build' in /home/sbernard/git/leshan/leshan-bsserver-demo/webapp [DEBUG] Executing command line [/home/sbernard/git/leshan/leshan-bsserver-demo/webapp/node/yarn/dist/bin/yarn, build]
Yep I did it : Maven output looks like :
|
I had an idea about how I might be able to make ODC work with this. I'm going to have to do some testing on eclipse-leshan/leshan@c611bcf |
On my case, I finally find an alternative :
But if you still want to make this use case works, Iet me know if I can help (E.g. by testing or reviewing) |
My guess is that the root of the problem here is likely mainly that ODC doesn't work with Yarn 2+ (Berry), not something specific to Maven. (although the error reporting needs some work to make it easier to find the problem as you tend to get |
Just to mention all my tests/use cases above ☝️ use Yarn Classic (v1). |
I tried to integrate
dependency-check-maven
to my multi-module maven project, all works as expected when using for java.But in my project I'm using
frontend-maven-plugin
to build a frontend webapp with yarn.There is 2 web application in webapp folder of 2 child module (
leshan-server-demo
/leshan-bsserver-demo
) .Yarn is downloaded by this
frontend-maven-plugin
.So I adapted my pom like this :
See commit : eclipse-leshan/leshan@c611bcf
This works when I use
mvn dependency-check:check
(I mean I see js vulnerabilities).But this doesn't work when using
mvn dependency-check:aggregate
. (in that case I just see java vulnerabilities)(I know that documentation says to not use ${project.basedir} but I was not able to make it works without this.
I succeed to workaround this by adding this configuration on root pom.xml :
(commit eclipse-leshan/leshan@4e24719)
And now it works when using :
mvn -Paggregate dependency-check:aggregate
But the solution is clearly not elegant and so I guess I missed something 🤔
Please let me know, if I did something wrong ? 🙏
If you want to reproduce :
The text was updated successfully, but these errors were encountered: