Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reporting version info for maven dependencies #605

Open
jtmelton opened this issue Nov 2, 2016 · 5 comments
Open

Reporting version info for maven dependencies #605

jtmelton opened this issue Nov 2, 2016 · 5 comments

Comments

@jtmelton
Copy link

jtmelton commented Nov 2, 2016

This is an enhancement idea specifically around the maven mojo - I'm willing to take a first cut at this work. Looking for feedback on a) would it be useful and b) discussion of solution.

First question, would it be useful to be able to present the available versions? I see there's a getVersionEvidence() method that exists on the Dependency class, but don't see it used in the system. Would it be useful to add this data for maven?

If the answer above is "yes", I have some follow-up questions:

  • would you like to see all available versions or just future available versions, ie. if all is [1.0, 2.0, 3.0, 4.0, 5.0] and current is 3.0, then future would be [4.0, 5.0]. (I think the "right" answer is complex here. It could be absolute latest. It could be any non-vulnerable version ... assuming there's a CVE. It could be latest available on my major release, assuming semantic versioning).
  • what would you like to see as the name (string) of the available version. Do you want just the version number itself or the full GAV?
@jeremylong
Copy link
Owner

Great suggestion - yes the versions that one could upgrade to would be valuable (heck we might be able to see if they are known vulnerable too). Would this have to be Maven specific though? If the hash matches (either CentralAnalyzer or NexusAnalyzer) isn't there a subsequent get available versions API?

Regarding the getVersionEvidence() - that is the evidence used for identification of the correct version within the CVE/CPE data. It may contain the GAV version, but it would not be used for available versions. We would have to extend the dependency object to contain available version information.

Regarding what to present - I agree this is difficult. I might consider taking the exact same approach as the dependency plugin and show the latest minor and latest major release (we might even be able to borrow code depending on the licenses for this). One of the known issues with the get available versions is that sometimes there is a timestamp or something in the version that completely messes up trying to figure out what the latest is.

For reporting purposes - the full GAV of the available version would be good.

@jtmelton
Copy link
Author

jtmelton commented Nov 3, 2016

Not very familiar with nexus/central apis. Probably good to loop in @colezlaw on this one as it appears he originally did that work.

That sounds good to extend the object to hold this info. Are any of the other analyzers doing something similar or is this new project-wide?

Yes, agree the get available versions is non-optimal as not everyone uses semantic versioning. I'll try to take a peek at the dependency plugin once we hash out the other issues.

@jtmelton
Copy link
Author

Bumping this to @colezlaw to see if he has any thoughts.

@jeremylong
Copy link
Owner

Baked into Maven is an API to get the available versions. The problem is this could probably work for Maven, gradle, or sbt - it likely would not be available in the other integrations (unless we found the maven coordinates from within the JAR in the CLI/ANT version).

@jtmelton
Copy link
Author

Yeah, I think this would definitely be just for those integrations where we have access to the maven coordinates easily, at least at first. I was using those apis for the POC.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants