Merge pull request #1266 from jeremylong/non-resolvable-fix

Fix dependency resolution

.travis.yml

@@ -49,6 +49,7 @@ after_success:
     fi;
 
 after_failure:
+    - cat /home/travis/build/jeremylong/DependencyCheck/maven/target/it/740-aggregate/build.log
     - cat /home/travis/build/jeremylong/DependencyCheck/maven/target/it/617-hierarchical-cross-deps/build.log
     - cat /home/travis/build/jeremylong/DependencyCheck/maven/target/it/618-aggregator-purge/build.log
     - cat /home/travis/build/jeremylong/DependencyCheck/maven/target/it/618-aggregator-update-only/build.log

core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java

@@ -403,9 +403,11 @@ private boolean hashesMatch(Dependency dependency1, Dependency dependency2) {
      * @return true if on of the dependencies is a pom.xml and the identifiers
      * between the two collections match; otherwise false
      */
-    private boolean isShadedJar(Dependency dependency, Dependency nextDependency) {
+    protected boolean isShadedJar(Dependency dependency, Dependency nextDependency) {
         if (dependency == null || dependency.getFileName() == null
-                || nextDependency == null || nextDependency.getFileName() == null) {
+                || nextDependency == null || nextDependency.getFileName() == null
+                || dependency.getIdentifiers().isEmpty() 
+                || nextDependency.getIdentifiers().isEmpty()) {
             return false;
         }
         final String mainName = dependency.getFileName().toLowerCase();

core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java

@@ -192,6 +192,17 @@ public Dependency(File file, boolean isVirtual) {
         determineHashes(file);
     }
 
+    /**
+     * Constructs a new Dependency object.
+     *
+     * @param isVirtual specifies if the dependency is virtual indicating the
+     * file doesn't actually exist.
+     */
+    public Dependency(boolean isVirtual) {
+        this();
+        this.isVirtual = isVirtual;
+    }
+
     /**
      * Returns the file name of the dependency.
      *

core/src/main/resources/templates/htmlReport.vsl

@@ -731,8 +731,8 @@ Getting Help: <a href="https://groups.google.com/forum/#!forum/dependency-check"
                             #end
                         #end
                             <b>File&nbsp;Path:</b>&nbsp;$enc.html($dependency.FilePath)<br/>
-                            <b>MD5:</b>&nbsp;$enc.html($dependency.Md5sum)<br/>
-                            <b>SHA1:</b>&nbsp;$enc.html($dependency.Sha1sum)
+                            <b>MD5:</b>&nbsp;#if($dependency.Md5sum)$enc.html($dependency.Md5sum)#end<br/>
+                            <b>SHA1:</b>&nbsp;#if($dependency.Sha1sum)$enc.html($dependency.Sha1sum)#end
                             #if ($dependency.projectReferences.size()==1)
                                 <br/><b>Referenced In Project/Scope:</b>
                                 #foreach($ref in $dependency.projectReferences)
@@ -940,8 +940,8 @@ Getting Help: <a href="https://groups.google.com/forum/#!forum/dependency-check"
                                     #end
                                 #end
                                     <b>File&nbsp;Path:</b>&nbsp;$enc.html($dependency.FilePath)<br/>
-                                    <b>MD5:</b>&nbsp;$enc.html($dependency.Md5sum)<br/>
-                                    <b>SHA1:</b>&nbsp;$enc.html($dependency.Sha1sum)
+                                    <b>MD5:</b>&nbsp;#if($dependency.Md5sum)$enc.html($dependency.Md5sum)#end<br/>
+                                    <b>SHA1:</b>&nbsp;#if($dependency.Sha1sum)$enc.html($dependency.Sha1sum)#end
                                 </p>
                                 #set($cnt=$cnt+1)
                                 <h4 id="header$cnt" class="subsectionheader expandable expandablesubsection white">Evidence</h4>

core/src/main/resources/templates/jsonReport.vsl

@@ -27,8 +27,8 @@
             "isVirtual": #if($dependency.isVirtual)true#{else}false#end,
             "fileName": "$enc.json($dependency.DisplayFileName)",
             "filePath": "$enc.json($dependency.FilePath)",
-            "md5": "$enc.json($dependency.Md5sum)",
-            "sha1": "$enc.json($dependency.Sha1sum)"
+            "md5": "#if($dependency.Md5sum)$enc.json($dependency.Md5sum)#end",
+            "sha1": "#if($dependency.Sha1sum)$enc.json($dependency.Sha1sum)#end"
             #if($dependency.description),"description": "$enc.json($dependency.description)"#end
             #if($dependency.license),"license": "$enc.json($dependency.license)"#end
             #if ($dependency.projectReferences.size()>0)

core/src/main/resources/templates/xmlReport.vsl

@@ -48,8 +48,8 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
         <dependency isVirtual="#if($dependency.isVirtual)true#{else}false#end">
             <fileName>$enc.xml($dependency.DisplayFileName)</fileName>
             <filePath>$enc.xml($dependency.FilePath)</filePath>
-            <md5>$enc.xml($dependency.Md5sum)</md5>
-            <sha1>$enc.xml($dependency.Sha1sum)</sha1>
+            <md5>#if($dependency.Md5sum)$enc.xml($dependency.Md5sum)#end</md5>
+            <sha1>#if($dependency.Sha1sum)$enc.xml($dependency.Sha1sum)#end</sha1>
 #if ($dependency.description)
             <description>$enc.xml($dependency.description)</description>
 #end
@@ -117,7 +117,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
             <identifiers>
 #foreach($id in $dependency.getIdentifiers())
                 <identifier type="$enc.xml($id.type)" #if($id.confidence)confidence="$id.confidence"#end>
-                    <name>($id.value)</name>
+                    <name>$enc.xml($id.value)</name>
 #if( $id.url )
                     <url>$enc.xml($id.url)</url>
 #end

core/src/test/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzerTest.java

@@ -17,6 +17,7 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
+import java.io.File;
 import mockit.Mocked;
 import mockit.Verifications;
 import org.junit.Test;
@@ -59,8 +60,8 @@ public void testGetAnalysisPhase() {
     }
 
     /**
-     * Test of analyze method, of class DependencyBundlingAnalyzer.
-     * The actually passed dependency does not matter. The analyzer only runs once.
+     * Test of analyze method, of class DependencyBundlingAnalyzer. The actually
+     * passed dependency does not matter. The analyzer only runs once.
      */
     @Test
     public void testAnalyze() throws Exception {
@@ -77,10 +78,12 @@ public void testAnalyze() throws Exception {
         instance.analyze(null, engineMock);
         assertTrue(instance.getAnalyzed());
 
-        new Verifications() {{
-            engineMock.getDependencies();
-            times = 1;
-        }};
+        new Verifications() {
+            {
+                engineMock.getDependencies();
+                times = 1;
+            }
+        };
     }
 
     /**
@@ -140,4 +143,72 @@ public void testFirstPathIsShortest() {
         result = instance.firstPathIsShortest(left, right);
         assertEquals(expResult, result);
     }
+
+    @Test
+    public void testIsShaded() {
+        DependencyBundlingAnalyzer instance = new DependencyBundlingAnalyzer();
+
+        Dependency left = null;
+        Dependency right = null;
+
+        boolean expResult = false;
+        boolean result = instance.isShadedJar(left, right);
+        assertEquals(expResult, result);
+
+        left = new Dependency();
+        expResult = false;
+        result = instance.isShadedJar(left, right);
+        assertEquals(expResult, result);
+
+        left = new Dependency(new File("/path/jar.jar"), true);
+        expResult = false;
+        result = instance.isShadedJar(left, right);
+        assertEquals(expResult, result);
+
+        right = new Dependency();
+        expResult = false;
+        result = instance.isShadedJar(left, right);
+        assertEquals(expResult, result);
+
+        right = new Dependency(new File("/path/pom.xml"), true);
+        expResult = false;
+        result = instance.isShadedJar(left, right);
+        assertEquals(expResult, result);
+
+        left.addIdentifier("test", "test", "http://example.com/test");
+        expResult = false;
+        result = instance.isShadedJar(left, right);
+        assertEquals(expResult, result);
+
+        right.addIdentifier("next", "next", "http://example.com/next");
+        expResult = false;
+        result = instance.isShadedJar(left, right);
+        assertEquals(expResult, result);
+
+        left.addIdentifier("next", "next", "http://example.com/next");
+        expResult = true;
+        result = instance.isShadedJar(left, right);
+        assertEquals(expResult, result);
+
+        left = new Dependency(new File("/path/pom.xml"), true);
+        left.addIdentifier("test", "test", "http://example.com/test");
+        right = new Dependency(new File("/path/jar.jar"), true);
+        right.addIdentifier("next", "next", "http://example.com/next");
+        expResult = false;
+        result = instance.isShadedJar(left, right);
+        assertEquals(expResult, result);
+
+        right.addIdentifier("test", "test", "http://example.com/test");
+        expResult = true;
+        result = instance.isShadedJar(left, right);
+        assertEquals(expResult, result);
+
+        left = new Dependency(new File("/path/other.jar"), true);
+        left.addIdentifier("test", "test", "http://example.com/test");
+        right = new Dependency(new File("/path/jar.jar"), true);
+        right.addIdentifier("next", "next", "http://example.com/next");
+        expResult = false;
+        result = instance.isShadedJar(left, right);
+        assertEquals(expResult, result);
+    }
 }

maven/pom.xml

@@ -136,6 +136,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
         <dependency>
             <groupId>org.apache.maven.shared</groupId>
             <artifactId>maven-dependency-tree</artifactId>
+            <version>3.0.1</version>
         </dependency>
         <dependency>
             <groupId>org.jmockit</groupId>
@@ -195,6 +196,9 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
                             </setupIncludes-->
                             <cloneProjectsTo>${project.build.directory}/it</cloneProjectsTo>
                             <localRepositoryPath>target/local-repo</localRepositoryPath>
+                            <properties>
+                                <odc.version>${project.version}</odc.version>
+                            </properties>
                         </configuration>
                         <executions>
                             <execution>

maven/src/it/617-hierarchical-cross-deps/invoker.properties

@@ -16,4 +16,4 @@
 # Copyright (c) 2014 Jeremy Long. All Rights Reserved.
 #
 
-invoker.goals = install -Danalyzer.central.enabled=false ${project.groupId}:${project.artifactId}:${project.version}:check -X
+invoker.goals = install -Danalyzer.central.enabled=false ${project.groupId}:${project.artifactId}:${project.version}:check

maven/src/it/618-aggregator-purge/invoker.properties

@@ -16,5 +16,5 @@
 # Copyright (c) 2014 Jeremy Long. All Rights Reserved.
 #
 
-invoker.goals.1 = ${project.groupId}:${project.artifactId}:${project.version}:update-only -DdataDirectory=./data -Dcve.startyear=2017 -X
-invoker.goals.2 = ${project.groupId}:${project.artifactId}:${project.version}:purge -DdataDirectory=./data -X
+invoker.goals.1 = ${project.groupId}:${project.artifactId}:${project.version}:update-only -DdataDirectory=./data -Dcve.startyear=2018
+invoker.goals.2 = ${project.groupId}:${project.artifactId}:${project.version}:purge -DdataDirectory=./data

maven/src/it/618-aggregator-update-only/invoker.properties

@@ -16,4 +16,4 @@
 # Copyright (c) 2014 Jeremy Long. All Rights Reserved.
 #
 
-invoker.goals = -Danalyzer.central.enabled=false ${project.groupId}:${project.artifactId}:${project.version}:update-only -X
+invoker.goals = -Danalyzer.central.enabled=false ${project.groupId}:${project.artifactId}:${project.version}:update-only

maven/src/it/629-jackson-dataformat/invoker.properties

@@ -16,4 +16,4 @@
 # Copyright (c) 2014 Jeremy Long. All Rights Reserved.
 #
 
-invoker.goals = install -Danalyzer.central.enabled=false ${project.groupId}:${project.artifactId}:${project.version}:check -X -Dformat=ALL
+invoker.goals = install -Danalyzer.central.enabled=false ${project.groupId}:${project.artifactId}:${project.version}:check -Dformat=ALL

maven/src/it/690-threadsafety/invoker.properties

@@ -16,4 +16,4 @@
 # Copyright (c) 2014 Jeremy Long. All Rights Reserved.
 #
 
-invoker.goals = install -Danalyzer.central.enabled=false ${project.groupId}:${project.artifactId}:${project.version}:check -X -T 10
+invoker.goals = install -Danalyzer.central.enabled=false ${project.groupId}:${project.artifactId}:${project.version}:check -T 10

maven/src/it/710-pom-parse-error/invoker.properties

@@ -16,4 +16,4 @@
 # Copyright (c) 2014 Jeremy Long. All Rights Reserved.
 #
 
-invoker.goals = install -Danalyzer.central.enabled=false ${project.groupId}:${project.artifactId}:${project.version}:check -X -Dformat=ALL
+invoker.goals = install -Danalyzer.central.enabled=false ${project.groupId}:${project.artifactId}:${project.version}:check -Dformat=ALL

maven/src/it/729-system-scope-resolved/invoker.properties

@@ -16,4 +16,4 @@
 # Copyright (c) 2017 Jeremy Long. All Rights Reserved.
 #
 
-invoker.goals = install -Danalyzer.central.enabled=false ${project.groupId}:${project.artifactId}:${project.version}:check -X -Dformat=JSON
+invoker.goals = install -Danalyzer.central.enabled=false ${project.groupId}:${project.artifactId}:${project.version}:check -Dformat=JSON

maven/src/it/729-system-scope-skipped/invoker.properties

@@ -16,4 +16,4 @@
 # Copyright (c) 2014 Jeremy Long. All Rights Reserved.
 #
 
-invoker.goals = install -Danalyzer.central.enabled=false ${project.groupId}:${project.artifactId}:${project.version}:check -DskipSystemScope=true -Dformat=JSON -X
+invoker.goals = install -Danalyzer.central.enabled=false ${project.groupId}:${project.artifactId}:${project.version}:check -DskipSystemScope=true -Dformat=JSON

maven/src/it/730-multiple-suppression-files-configs/invoker.properties

@@ -15,4 +15,4 @@
 #
 # Copyright (c) 2017 The OWASP Foundation. All Rights Reserved.
 #
-invoker.goals = install -Danalyzer.central.enabled=false ${project.groupId}:${project.artifactId}:${project.version}:check -X
+invoker.goals = install -Danalyzer.central.enabled=false ${project.groupId}:${project.artifactId}:${project.version}:check

maven/src/it/730-multiple-suppression-files/invoker.properties

@@ -15,4 +15,4 @@
 #
 # Copyright (c) 2017 The OWASP Foundation. All Rights Reserved.
 #
-invoker.goals = install -Danalyzer.central.enabled=false ${project.groupId}:${project.artifactId}:${project.version}:check -X
+invoker.goals = install -Danalyzer.central.enabled=false ${project.groupId}:${project.artifactId}:${project.version}:check

maven/src/it/740-aggregate/first/pom.xml

@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+This file is part of dependency-check-maven.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.owasp.test.aggregate</groupId>
+        <artifactId>aggregate-parent</artifactId>
+        <version>1.0.0-SNAPSHOT</version>
+    </parent>
+    <artifactId>first</artifactId>
+    <packaging>jar</packaging>
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-collections4</artifactId>
+            <version>4.1</version>
+        </dependency>
+    </dependencies>
+</project>

maven/src/it/740-aggregate/invoker.properties

@@ -0,0 +1,19 @@
+#
+# This file is part of dependency-check-maven.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+#
+
+invoker.goals = verify -X

maven/src/it/740-aggregate/pom.xml

@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+This file is part of dependency-check-maven.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+Copyright (c) 2018 Jeremy Long. All Rights Reserved.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <groupId>org.owasp.test.aggregate</groupId>
+    <artifactId>aggregate-parent</artifactId>
+    <version>1.0.0-SNAPSHOT</version>
+    <packaging>pom</packaging>
+    <modules>
+        <module>first</module>
+        <module>second</module>
+		<module>third</module>
+    </modules>
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.owasp</groupId>
+                <artifactId>dependency-check-maven</artifactId>
+                <version>${odc.version}</version>
+                <inherited>false</inherited>
+                <configuration>
+                    <format>XML</format>
+                    <centralAnalyzerEnabled>false</centralAnalyzerEnabled>
+                </configuration>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>aggregate</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+</project>