osv-scanner icon indicating copy to clipboard operation
osv-scanner copied to clipboard
verified publisher icon google

maven dependency but no version

Open jsqfengbao opened this issue 1 year ago • 5 comments

Maven dependency but no version comes from three places, one is the version number defined by dependencyManagement, one is the version number of parent, and one is that other dependencies have it but it is redefined here. These three situations depend on Maven's build mechanism: https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html Now the question is, if Maven dependency but no version. Then osv-scanner will not extract it. Is there such a vulnerability, but it is not detected by osv-scanner?

jsqfengbao avatar Jul 16 '24 02:07 jsqfengbao

I believe Maven does not allow dependencies without requirements declared. Can you give an example where you observe Maven dependencies without version requirements?

cuixq avatar Jul 16 '24 22:07 cuixq

for example just like this . https://github.com/jeecgboot/JeecgBoot/blob/master/jeecg-boot/pom.xml#L119-#L133 from line 119 to line 133. Its version number should be inherited from the parent version number。 2.7.18

jsqfengbao avatar Jul 16 '24 22:07 jsqfengbao

Or the version numbers here, some of which come from the version numbers defined in dependencyManagement https://github.com/jeecgboot/JeecgBoot/blob/master/jeecg-boot/jeecg-boot-base-core/pom.xml

jsqfengbao avatar Jul 16 '24 23:07 jsqfengbao

` <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion>

<groupId>com.test</groupId>
<artifactId>myJavaDemo</artifactId>
<version>1.1-SNAPSHOT</version>

<properties>
    <maven.compiler.source>10</maven.compiler.source>
    <maven.compiler.target>10</maven.compiler.target>
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>

<parent>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-parent</artifactId>
    <version>3.0.0</version>
    <relativePath/> <!-- lookup parent from repository -->
</parent>

<dependencies>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-data-jpa</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-thymeleaf</artifactId>
    </dependency>

    <!-- Database Driver -->
    <dependency>
        <groupId>com.h2database</groupId>
        <artifactId>h2</artifactId>
        <scope>runtime</scope>
    </dependency>
    <!-- If you use MySQL -->
    <!-- <dependency>
        <groupId>mysql</groupId>
        <artifactId>mysql-connector-java</artifactId>
        <scope>runtime</scope>
    </dependency> -->

    <!-- Lombok for code generation -->
    <dependency>
        <groupId>org.projectlombok</groupId>
        <artifactId>lombok</artifactId>
        <version>1.18.24</version>
        <scope>provided</scope>
    </dependency>

    <!-- Spring Boot Testing -->
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-test</artifactId>
        <scope>test</scope>
    </dependency>

    <dependency>
        <groupId>com.alibaba</groupId>
        <artifactId>fastjson</artifactId>
        <version>1.2.43</version>
    </dependency>
</dependencies>

% `

for example In the pom.xml example above, the component returned by the command I executed is empty, but in fact there should be fast-json。

osv-scanner --experimental-offline . Scanning dir . Scanned /Users/pom.xml file and found 8 packages could not load db for Maven ecosystem: unable to fetch OSV database: no offline version of the OSV database is available could not load db for Maven ecosystem: unable to fetch OSV database: no offline version of the OSV database is available could not load db for Maven ecosystem: unable to fetch OSV database: no offline version of the OSV database is available could not load db for Maven ecosystem: unable to fetch OSV database: no offline version of the OSV database is available could not load db for Maven ecosystem: unable to fetch OSV database: no offline version of the OSV database is available could not load db for Maven ecosystem: unable to fetch OSV database: no offline version of the OSV database is available could not load db for Maven ecosystem: unable to fetch OSV database: no offline version of the OSV database is available could not load db for Maven ecosystem: unable to fetch OSV database: no offline version of the OSV database is available

jsqfengbao avatar Jul 16 '24 23:07 jsqfengbao

As far as I know, OSV-Scanner should be able to resolve version requirements from dependency management or parent.

For the pom.xml that you provided, <project> and <modelVersion> tags are missing. OSV-Scanner is able to identity transitive dependencies with both tags added.

However, for offline mode, since no requests will be made, parent pom files are not fetched from upstream and thus some version requirements are not resolved.

cuixq avatar Jul 17 '24 17:07 cuixq