From ab174b4bb4379935ede44bab6f762d2f3c5c3341 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Mon, 9 Apr 2018 14:03:04 -0400
Subject: [PATCH 01/36] upgrade dependency tree version

---
 .../owasp/dependencycheck/maven/BaseDependencyCheckMojo.java    | 2 +-
 pom.xml                                                         | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
index 0ac70d17881..ca559329768 100644
--- a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
+++ b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
@@ -720,8 +720,8 @@ protected File getCorrectOutputDirectory(MavenProject current) {
      */
     protected ExceptionCollection scanArtifacts(MavenProject project, Engine engine) {
         try {
-            final DependencyNode dn = dependencyGraphBuilder.buildDependencyGraph(project, null, reactorProjects);
             final ProjectBuildingRequest buildingRequest = newResolveArtifactProjectBuildingRequest();
+            final DependencyNode dn = dependencyGraphBuilder.buildDependencyGraph(buildingRequest, null, reactorProjects);
             return collectDependencies(engine, project, dn.getChildren(), buildingRequest);
         } catch (DependencyGraphBuilderException ex) {
             final String msg = String.format("Unable to build dependency graph on project %s", project.getName());
diff --git a/pom.xml b/pom.xml
index 4ae6722044f..043c762d5c3 100644
--- a/pom.xml
+++ b/pom.xml
@@ -172,7 +172,7 @@ Copyright (c) 2012 - Jeremy Long
         <plexus-sec-dispatcher.version>1.4</plexus-sec-dispatcher.version>
 
         <!-- upgrading beyond 2.2 requires reworking the dependency resolution -->
-        <maven-dependency-tree.version>2.2</maven-dependency-tree.version>
+        <maven-dependency-tree.version>3.0.1</maven-dependency-tree.version>
 
         <org.glassfish.javax.json.version>1.0.4</org.glassfish.javax.json.version>
         <maven-artifact-transfer.version>0.9.1</maven-artifact-transfer.version>

From 3825a27d86775b732702a13a8df00aa24d7ed46e Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Mon, 9 Apr 2018 14:03:22 -0400
Subject: [PATCH 02/36] update invoker properties

---
 maven/pom.xml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/maven/pom.xml b/maven/pom.xml
index 58ecdba134b..a64ffa488a9 100644
--- a/maven/pom.xml
+++ b/maven/pom.xml
@@ -136,6 +136,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
         <dependency>
             <groupId>org.apache.maven.shared</groupId>
             <artifactId>maven-dependency-tree</artifactId>
+            <version>3.0.1</version>
         </dependency>
         <dependency>
             <groupId>org.jmockit</groupId>
@@ -195,6 +196,9 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
                             </setupIncludes-->
                             <cloneProjectsTo>${project.build.directory}/it</cloneProjectsTo>
                             <localRepositoryPath>target/local-repo</localRepositoryPath>
+                            <properties>
+                                <odc.version>${project.version}</odc.version>
+                            </properties>
                         </configuration>
                         <executions>
                             <execution>

From b41c68b8f99da366ef7ef52d59f707b284396f38 Mon Sep 17 00:00:00 2001
From: Hans Aikema <aikebah-github@aikebah.net>
Date: Sat, 28 Apr 2018 22:28:42 +0200
Subject: [PATCH 03/36] Add project to buildingRequest

---
 .../org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java | 1 +
 1 file changed, 1 insertion(+)

diff --git a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
index ca559329768..539d8f0315a 100644
--- a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
+++ b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
@@ -721,6 +721,7 @@ protected File getCorrectOutputDirectory(MavenProject current) {
     protected ExceptionCollection scanArtifacts(MavenProject project, Engine engine) {
         try {
             final ProjectBuildingRequest buildingRequest = newResolveArtifactProjectBuildingRequest();
+            buildingRequest.setProject(project);
             final DependencyNode dn = dependencyGraphBuilder.buildDependencyGraph(buildingRequest, null, reactorProjects);
             return collectDependencies(engine, project, dn.getChildren(), buildingRequest);
         } catch (DependencyGraphBuilderException ex) {

From ea0603ff03c7847b37f2ab0a32305a8dc6cb3c42 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Mon, 9 Apr 2018 14:03:04 -0400
Subject: [PATCH 04/36] upgrade dependency tree version

---
 .../owasp/dependencycheck/maven/BaseDependencyCheckMojo.java    | 2 +-
 pom.xml                                                         | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
index 0ac70d17881..ca559329768 100644
--- a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
+++ b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
@@ -720,8 +720,8 @@ protected File getCorrectOutputDirectory(MavenProject current) {
      */
     protected ExceptionCollection scanArtifacts(MavenProject project, Engine engine) {
         try {
-            final DependencyNode dn = dependencyGraphBuilder.buildDependencyGraph(project, null, reactorProjects);
             final ProjectBuildingRequest buildingRequest = newResolveArtifactProjectBuildingRequest();
+            final DependencyNode dn = dependencyGraphBuilder.buildDependencyGraph(buildingRequest, null, reactorProjects);
             return collectDependencies(engine, project, dn.getChildren(), buildingRequest);
         } catch (DependencyGraphBuilderException ex) {
             final String msg = String.format("Unable to build dependency graph on project %s", project.getName());
diff --git a/pom.xml b/pom.xml
index d9ca9e65f8a..4ade018838a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -172,7 +172,7 @@ Copyright (c) 2012 - Jeremy Long
         <plexus-sec-dispatcher.version>1.4</plexus-sec-dispatcher.version>
 
         <!-- upgrading beyond 2.2 requires reworking the dependency resolution -->
-        <maven-dependency-tree.version>2.2</maven-dependency-tree.version>
+        <maven-dependency-tree.version>3.0.1</maven-dependency-tree.version>
 
         <org.glassfish.javax.json.version>1.0.4</org.glassfish.javax.json.version>
         <maven-artifact-transfer.version>0.9.1</maven-artifact-transfer.version>

From 7c8dbcceefc692a3b5c3b16dce3f1028dee72984 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Mon, 9 Apr 2018 14:03:22 -0400
Subject: [PATCH 05/36] update invoker properties

---
 maven/pom.xml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/maven/pom.xml b/maven/pom.xml
index 4105b776aee..e41b41163fe 100644
--- a/maven/pom.xml
+++ b/maven/pom.xml
@@ -136,6 +136,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
         <dependency>
             <groupId>org.apache.maven.shared</groupId>
             <artifactId>maven-dependency-tree</artifactId>
+            <version>3.0.1</version>
         </dependency>
         <dependency>
             <groupId>org.jmockit</groupId>
@@ -195,6 +196,9 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
                             </setupIncludes-->
                             <cloneProjectsTo>${project.build.directory}/it</cloneProjectsTo>
                             <localRepositoryPath>target/local-repo</localRepositoryPath>
+                            <properties>
+                                <odc.version>${project.version}</odc.version>
+                            </properties>
                         </configuration>
                         <executions>
                             <execution>

From 0c0b0e3f3be02594857ef7997f31aff7abc30b5b Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sun, 15 Apr 2018 06:37:14 -0400
Subject: [PATCH 06/36] added test case

---
 maven/src/it/740-aggregate/first/pom.xml      | 35 +++++++++++++
 maven/src/it/740-aggregate/invoker.properties | 19 +++++++
 maven/src/it/740-aggregate/pom.xml            | 50 +++++++++++++++++++
 maven/src/it/740-aggregate/postbuild.groovy   | 29 +++++++++++
 maven/src/it/740-aggregate/second/pom.xml     | 35 +++++++++++++
 .../second/src/main/webapp/WEB-INF/web.xml    | 26 ++++++++++
 .../src/it/740-aggregate/third/fourth/pom.xml | 35 +++++++++++++
 .../fourth/src/main/webapp/WEB-INF/web.xml    | 26 ++++++++++
 maven/src/it/740-aggregate/third/pom.xml      | 31 ++++++++++++
 9 files changed, 286 insertions(+)
 create mode 100644 maven/src/it/740-aggregate/first/pom.xml
 create mode 100644 maven/src/it/740-aggregate/invoker.properties
 create mode 100644 maven/src/it/740-aggregate/pom.xml
 create mode 100644 maven/src/it/740-aggregate/postbuild.groovy
 create mode 100644 maven/src/it/740-aggregate/second/pom.xml
 create mode 100644 maven/src/it/740-aggregate/second/src/main/webapp/WEB-INF/web.xml
 create mode 100644 maven/src/it/740-aggregate/third/fourth/pom.xml
 create mode 100644 maven/src/it/740-aggregate/third/fourth/src/main/webapp/WEB-INF/web.xml
 create mode 100644 maven/src/it/740-aggregate/third/pom.xml

diff --git a/maven/src/it/740-aggregate/first/pom.xml b/maven/src/it/740-aggregate/first/pom.xml
new file mode 100644
index 00000000000..ec008957d09
--- /dev/null
+++ b/maven/src/it/740-aggregate/first/pom.xml
@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+This file is part of dependency-check-maven.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.owasp.test</groupId>
+        <artifactId>threaded-parent</artifactId>
+        <version>1.0.0-SNAPSHOT</version>
+    </parent>
+    <artifactId>first</artifactId>
+    <packaging>jar</packaging>
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-collections4</artifactId>
+            <version>4.1</version>
+        </dependency>
+    </dependencies>
+</project>
diff --git a/maven/src/it/740-aggregate/invoker.properties b/maven/src/it/740-aggregate/invoker.properties
new file mode 100644
index 00000000000..fe31f576949
--- /dev/null
+++ b/maven/src/it/740-aggregate/invoker.properties
@@ -0,0 +1,19 @@
+#
+# This file is part of dependency-check-maven.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+#
+
+invoker.goals = install ${project.groupId}:${project.artifactId}:${project.version}:check -X -T 10
diff --git a/maven/src/it/740-aggregate/pom.xml b/maven/src/it/740-aggregate/pom.xml
new file mode 100644
index 00000000000..73a17227886
--- /dev/null
+++ b/maven/src/it/740-aggregate/pom.xml
@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+This file is part of dependency-check-maven.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+Copyright (c) 2018 Jeremy Long. All Rights Reserved.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <groupId>org.owasp.test</groupId>
+    <artifactId>threaded-parent</artifactId>
+    <version>1.0.0-SNAPSHOT</version>
+    <packaging>pom</packaging>
+    <modules>
+        <module>first</module>
+        <module>second</module>
+		<module>third</module>
+    </modules>
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.owasp</groupId>
+                <artifactId>dependency-check-maven</artifactId>
+                <version>${odc.version}</version>
+                <inherited>false</inherited>
+                <configuration>
+                    <centralAnalyzerEnabled>false</centralAnalyzerEnabled>
+                </configuration>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>aggregate</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+</project>
\ No newline at end of file
diff --git a/maven/src/it/740-aggregate/postbuild.groovy b/maven/src/it/740-aggregate/postbuild.groovy
new file mode 100644
index 00000000000..8c1b639faac
--- /dev/null
+++ b/maven/src/it/740-aggregate/postbuild.groovy
@@ -0,0 +1,29 @@
+/*
+ * This file is part of dependency-check-maven.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+
+import java.nio.charset.Charset;
+import org.apache.commons.io.FileUtils;
+import org.apache.commons.lang.StringUtils;
+ 
+String log = FileUtils.readFileToString(new File(basedir, "build.log"), Charset.defaultCharset().name());
+int count = StringUtils.countMatches(log, "Download Started for NVD CVE - 2002");
+if (count > 1){
+    System.out.println(String.format("NVD CVE was downloaded %s times, should be 0 or 1 times", count));
+    return false;
+}
+return true;
\ No newline at end of file
diff --git a/maven/src/it/740-aggregate/second/pom.xml b/maven/src/it/740-aggregate/second/pom.xml
new file mode 100644
index 00000000000..710eace2e07
--- /dev/null
+++ b/maven/src/it/740-aggregate/second/pom.xml
@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+This file is part of dependency-check-maven.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.owasp.test</groupId>
+        <artifactId>threaded-parent</artifactId>
+        <version>1.0.0-SNAPSHOT</version>
+    </parent>
+    <artifactId>second</artifactId>
+    <packaging>jar</packaging>
+    <dependencies>
+        <dependency>
+            <groupId>org.owasp.test</groupId>
+            <artifactId>fourth</artifactId>
+            <version>1.0.0-SNAPSHOT</version>
+        </dependency>
+    </dependencies>
+</project>
\ No newline at end of file
diff --git a/maven/src/it/740-aggregate/second/src/main/webapp/WEB-INF/web.xml b/maven/src/it/740-aggregate/second/src/main/webapp/WEB-INF/web.xml
new file mode 100644
index 00000000000..65c96051cf0
--- /dev/null
+++ b/maven/src/it/740-aggregate/second/src/main/webapp/WEB-INF/web.xml
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+This file is part of dependency-check-maven.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+-->
+<web-app id="WebApp_ID" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
+    <display-name>test-app</display-name>
+    <welcome-file-list>
+        <welcome-file>index.html</welcome-file>
+    </welcome-file-list>
+</web-app>
+
diff --git a/maven/src/it/740-aggregate/third/fourth/pom.xml b/maven/src/it/740-aggregate/third/fourth/pom.xml
new file mode 100644
index 00000000000..43581af39fb
--- /dev/null
+++ b/maven/src/it/740-aggregate/third/fourth/pom.xml
@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+This file is part of dependency-check-maven.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.owasp.test</groupId>
+        <artifactId>third</artifactId>
+        <version>1.0.0-SNAPSHOT</version>
+    </parent>
+    <artifactId>fourth</artifactId>
+    <packaging>jar</packaging>
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.james</groupId>
+            <artifactId>apache-mime4j-dom</artifactId>
+            <version>0.7.2</version>
+        </dependency>
+    </dependencies>
+</project>
\ No newline at end of file
diff --git a/maven/src/it/740-aggregate/third/fourth/src/main/webapp/WEB-INF/web.xml b/maven/src/it/740-aggregate/third/fourth/src/main/webapp/WEB-INF/web.xml
new file mode 100644
index 00000000000..65c96051cf0
--- /dev/null
+++ b/maven/src/it/740-aggregate/third/fourth/src/main/webapp/WEB-INF/web.xml
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+This file is part of dependency-check-maven.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+-->
+<web-app id="WebApp_ID" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
+    <display-name>test-app</display-name>
+    <welcome-file-list>
+        <welcome-file>index.html</welcome-file>
+    </welcome-file-list>
+</web-app>
+
diff --git a/maven/src/it/740-aggregate/third/pom.xml b/maven/src/it/740-aggregate/third/pom.xml
new file mode 100644
index 00000000000..a36ca6f3fb9
--- /dev/null
+++ b/maven/src/it/740-aggregate/third/pom.xml
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+This file is part of dependency-check-maven.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.owasp.test</groupId>
+        <artifactId>threaded-parent</artifactId>
+        <version>1.0.0-SNAPSHOT</version>
+    </parent>
+    <artifactId>third</artifactId>
+    <packaging>pom</packaging>
+    <modules>
+        <module>fourth</module>
+    </modules>
+</project>
\ No newline at end of file

From 251aa8fef5c8aaff18395006ac7c2406cfe0079c Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Mon, 30 Apr 2018 06:55:41 -0400
Subject: [PATCH 07/36] fix test case

---
 maven/src/it/740-aggregate/invoker.properties | 2 +-
 maven/src/it/740-aggregate/pom.xml            | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/maven/src/it/740-aggregate/invoker.properties b/maven/src/it/740-aggregate/invoker.properties
index fe31f576949..b5087cc941d 100644
--- a/maven/src/it/740-aggregate/invoker.properties
+++ b/maven/src/it/740-aggregate/invoker.properties
@@ -16,4 +16,4 @@
 # Copyright (c) 2014 Jeremy Long. All Rights Reserved.
 #
 
-invoker.goals = install ${project.groupId}:${project.artifactId}:${project.version}:check -X -T 10
+invoker.goals = verify -X
diff --git a/maven/src/it/740-aggregate/pom.xml b/maven/src/it/740-aggregate/pom.xml
index 73a17227886..98ae44a22ca 100644
--- a/maven/src/it/740-aggregate/pom.xml
+++ b/maven/src/it/740-aggregate/pom.xml
@@ -19,7 +19,7 @@ Copyright (c) 2018 Jeremy Long. All Rights Reserved.
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
     <modelVersion>4.0.0</modelVersion>
     <groupId>org.owasp.test</groupId>
-    <artifactId>threaded-parent</artifactId>
+    <artifactId>aggregate-parent</artifactId>
     <version>1.0.0-SNAPSHOT</version>
     <packaging>pom</packaging>
     <modules>

From feb688ff94f24488f77b689ce87f6590028fc68e Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Mon, 30 Apr 2018 06:56:10 -0400
Subject: [PATCH 08/36] update to create virtual dependencies

---
 .../dependency/Dependency.java                |  11 +
 .../maven/BaseDependencyCheckMojo.java        | 235 ++++++++++++------
 2 files changed, 171 insertions(+), 75 deletions(-)

diff --git a/core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java b/core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
index f84514188a9..ca9ded7d437 100644
--- a/core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
+++ b/core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
@@ -192,6 +192,17 @@ public Dependency(File file, boolean isVirtual) {
         determineHashes(file);
     }
 
+    /**
+     * Constructs a new Dependency object.
+     *
+     * @param isVirtual specifies if the dependency is virtual indicating the
+     * file doesn't actually exist.
+     */
+    public Dependency(boolean isVirtual) {
+        this();
+        this.isVirtual = isVirtual;
+    }
+
     /**
      * Returns the file name of the dependency.
      *
diff --git a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
index 539d8f0315a..6bf76601785 100644
--- a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
+++ b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
@@ -29,6 +29,7 @@
 import org.apache.maven.artifact.versioning.ArtifactVersion;
 import org.apache.maven.doxia.sink.Sink;
 import org.apache.maven.execution.MavenSession;
+import org.apache.maven.model.License;
 import org.apache.maven.plugin.AbstractMojo;
 import org.apache.maven.plugin.MojoExecutionException;
 import org.apache.maven.plugin.MojoFailureException;
@@ -51,10 +52,12 @@
 import org.apache.maven.shared.model.fileset.FileSet;
 import org.apache.maven.shared.model.fileset.util.FileSetManager;
 import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.JarAnalyzer;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.EvidenceType;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.dependency.Vulnerability;
 import org.owasp.dependencycheck.exception.DependencyNotFoundException;
@@ -152,9 +155,9 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
     @Parameter(defaultValue = "${project.build.directory}", required = true)
     private File outputDirectory;
     /**
-     * This is a reference to the &gt;reporting&lt; sections <code>outputDirectory</code>.
-     * This cannot be configured in the dependency-check mojo directly.
-     * This generally maps to "target/site".
+     * This is a reference to the &gt;reporting&lt; sections
+     * <code>outputDirectory</code>. This cannot be configured in the
+     * dependency-check mojo directly. This generally maps to "target/site".
      */
     @Parameter(property = "project.reporting.outputDirectory", readonly = true)
     private File reportOutputDirectory;
@@ -228,7 +231,8 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
     @Parameter(property = "connectionTimeout", defaultValue = "", required = false)
     private String connectionTimeout;
     /**
-     * Sets whether dependency-check should check if there is a new version available.
+     * Sets whether dependency-check should check if there is a new version
+     * available.
      */
     @SuppressWarnings("CanBeFinal")
     @Parameter(property = "versionCheckEnabled", defaultValue = "true", required = false)
@@ -719,11 +723,25 @@ protected File getCorrectOutputDirectory(MavenProject current) {
      * and scanning the dependencies
      */
     protected ExceptionCollection scanArtifacts(MavenProject project, Engine engine) {
+        return scanArtifacts(project, engine, false);
+    }
+
+    /**
+     * Scans the project's artifacts and adds them to the engine's dependency
+     * list.
+     *
+     * @param project the project to scan the dependencies of
+     * @param engine the engine to use to scan the dependencies
+     * @param aggregate whether the scan is part of an aggregate build
+     * @return a collection of exceptions that may have occurred while resolving
+     * and scanning the dependencies
+     */
+    protected ExceptionCollection scanArtifacts(MavenProject project, Engine engine, boolean aggregate) {
         try {
             final ProjectBuildingRequest buildingRequest = newResolveArtifactProjectBuildingRequest();
             buildingRequest.setProject(project);
             final DependencyNode dn = dependencyGraphBuilder.buildDependencyGraph(buildingRequest, null, reactorProjects);
-            return collectDependencies(engine, project, dn.getChildren(), buildingRequest);
+            return collectDependencies(engine, project, dn.getChildren(), buildingRequest, aggregate);
         } catch (DependencyGraphBuilderException ex) {
             final String msg = String.format("Unable to build dependency graph on project %s", project.getName());
             getLog().debug(msg, ex);
@@ -740,101 +758,106 @@ protected ExceptionCollection scanArtifacts(MavenProject project, Engine engine)
      * @param nodes the list of dependency nodes, generally obtained via the
      * DependencyGraphBuilder
      * @param buildingRequest the Maven project building request
+     * @param aggregate whether the scan is part of an aggregate build
      * @return a collection of exceptions that may have occurred while resolving
      * and scanning the dependencies
      */
     private ExceptionCollection collectDependencies(Engine engine, MavenProject project,
-            List<DependencyNode> nodes, ProjectBuildingRequest buildingRequest) {
+            List<DependencyNode> nodes, ProjectBuildingRequest buildingRequest, boolean aggregate) {
         ExceptionCollection exCol = null;
         for (DependencyNode dependencyNode : nodes) {
             if (artifactScopeExcluded.passes(dependencyNode.getArtifact().getScope())
                     || artifactTypeExcluded.passes(dependencyNode.getArtifact().getType())) {
                 continue;
             }
-            exCol = collectDependencies(engine, project, dependencyNode.getChildren(), buildingRequest);
-            try {
-                boolean isResolved = false;
-                File artifactFile = null;
-                String artifactId = null;
-                String groupId = null;
-                String version = null;
-                List<ArtifactVersion> availableVersions = null;
-                if (org.apache.maven.artifact.Artifact.SCOPE_SYSTEM.equals(dependencyNode.getArtifact().getScope())) {
-                    for (org.apache.maven.model.Dependency d : project.getDependencies()) {
-                        final Artifact a = dependencyNode.getArtifact();
-                        if (d.getSystemPath() != null && artifactsMatch(d, a)) {
-
-                            artifactFile = new File(d.getSystemPath());
-                            isResolved = artifactFile.isFile();
-                            groupId = a.getGroupId();
-                            artifactId = a.getArtifactId();
-                            version = a.getVersion();
-                            availableVersions = a.getAvailableVersions();
-                            break;
-                        }
+            exCol = collectDependencies(engine, project, dependencyNode.getChildren(), buildingRequest, aggregate);
+            boolean isResolved = false;
+            File artifactFile = null;
+            String artifactId = null;
+            String groupId = null;
+            String version = null;
+            List<ArtifactVersion> availableVersions = null;
+            if (org.apache.maven.artifact.Artifact.SCOPE_SYSTEM.equals(dependencyNode.getArtifact().getScope())) {
+                for (org.apache.maven.model.Dependency d : project.getDependencies()) {
+                    final Artifact a = dependencyNode.getArtifact();
+                    if (d.getSystemPath() != null && artifactsMatch(d, a)) {
+
+                        artifactFile = new File(d.getSystemPath());
+                        isResolved = artifactFile.isFile();
+                        groupId = a.getGroupId();
+                        artifactId = a.getArtifactId();
+                        version = a.getVersion();
+                        availableVersions = a.getAvailableVersions();
+                        break;
+                    }
+                }
+                if (!isResolved) {
+                    getLog().error("Unable to resolve system scoped dependency: " + dependencyNode.toNodeString());
+                    if (exCol == null) {
+                        exCol = new ExceptionCollection();
                     }
-                    if (!isResolved) {
-                        getLog().error("Unable to resolve system scoped dependency: " + dependencyNode.toNodeString());
+                    exCol.addException(new DependencyNotFoundException("Unable to resolve system scoped dependency: "
+                            + dependencyNode.toNodeString()));
+                }
+            } else {
+                final ArtifactCoordinate coordinate = TransferUtils.toArtifactCoordinate(dependencyNode.getArtifact());
+                final Artifact result;
+                try {
+                    result = artifactResolver.resolveArtifact(buildingRequest, coordinate).getArtifact();
+                } catch (ArtifactResolverException ex) {
+                    if (!aggregate || addReactorDependency(engine, dependencyNode.getArtifact())) {
                         if (exCol == null) {
                             exCol = new ExceptionCollection();
                         }
-                        exCol.addException(new DependencyNotFoundException("Unable to resolve system scoped dependency: "
-                                + dependencyNode.toNodeString()));
                     }
-                } else {
-                    final ArtifactCoordinate coordinate = TransferUtils.toArtifactCoordinate(dependencyNode.getArtifact());
-                    final Artifact result = artifactResolver.resolveArtifact(buildingRequest, coordinate).getArtifact();
-                    isResolved = result.isResolved();
-                    artifactFile = result.getFile();
-                    groupId = result.getGroupId();
-                    artifactId = result.getArtifactId();
-                    version = result.getVersion();
-                    availableVersions = result.getAvailableVersions();
+                    exCol.addException(ex);
+                    continue;
                 }
-                if (isResolved && artifactFile != null) {
-                    final List<Dependency> deps = engine.scan(artifactFile.getAbsoluteFile(),
-                            project.getName() + ":" + dependencyNode.getArtifact().getScope());
-                    if (deps != null) {
-                        if (deps.size() == 1) {
-                            final Dependency d = deps.get(0);
-                            if (d != null) {
-                                final MavenArtifact ma = new MavenArtifact(groupId, artifactId, version);
-                                d.addAsEvidence("pom", ma, Confidence.HIGHEST);
-                                if (availableVersions != null) {
-                                    for (ArtifactVersion av : availableVersions) {
-                                        d.addAvailableVersion(av.toString());
-                                    }
+                isResolved = result.isResolved();
+                artifactFile = result.getFile();
+                groupId = result.getGroupId();
+                artifactId = result.getArtifactId();
+                version = result.getVersion();
+                availableVersions = result.getAvailableVersions();
+            }
+            if (isResolved && artifactFile != null) {
+                final List<Dependency> deps = engine.scan(artifactFile.getAbsoluteFile(),
+                        project.getName() + ":" + dependencyNode.getArtifact().getScope());
+                if (deps != null) {
+                    if (deps.size() == 1) {
+                        final Dependency d = deps.get(0);
+                        if (d != null) {
+                            final MavenArtifact ma = new MavenArtifact(groupId, artifactId, version);
+                            d.addAsEvidence("pom", ma, Confidence.HIGHEST);
+                            if (availableVersions != null) {
+                                for (ArtifactVersion av : availableVersions) {
+                                    d.addAvailableVersion(av.toString());
                                 }
-                                getLog().debug(String.format("Adding project reference %s on dependency %s",
-                                        project.getName(), d.getDisplayFileName()));
                             }
-                        } else if (getLog().isDebugEnabled()) {
-                            final String msg = String.format("More than 1 dependency was identified in first pass scan of '%s' in project %s",
-                                    dependencyNode.getArtifact().getId(), project.getName());
-                            getLog().debug(msg);
+                            getLog().debug(String.format("Adding project reference %s on dependency %s",
+                                    project.getName(), d.getDisplayFileName()));
                         }
-                    } else if ("import".equals(dependencyNode.getArtifact().getScope())) {
-                        final String msg = String.format("Skipping '%s:%s' in project %s as it uses an `import` scope",
-                                dependencyNode.getArtifact().getId(), dependencyNode.getArtifact().getScope(), project.getName());
+                    } else if (getLog().isDebugEnabled()) {
+                        final String msg = String.format("More than 1 dependency was identified in first pass scan of '%s' in project %s",
+                                dependencyNode.getArtifact().getId(), project.getName());
                         getLog().debug(msg);
-                    } else {
-                        final String msg = String.format("No analyzer could be found for '%s:%s' in project %s",
-                                dependencyNode.getArtifact().getId(), dependencyNode.getArtifact().getScope(), project.getName());
-                        getLog().warn(msg);
                     }
-                } else {
-                    final String msg = String.format("Unable to resolve '%s' in project %s",
-                            dependencyNode.getArtifact().getId(), project.getName());
+                } else if ("import".equals(dependencyNode.getArtifact().getScope())) {
+                    final String msg = String.format("Skipping '%s:%s' in project %s as it uses an `import` scope",
+                            dependencyNode.getArtifact().getId(), dependencyNode.getArtifact().getScope(), project.getName());
                     getLog().debug(msg);
-                    if (exCol == null) {
-                        exCol = new ExceptionCollection();
-                    }
+                } else {
+                    final String msg = String.format("No analyzer could be found for '%s:%s' in project %s",
+                            dependencyNode.getArtifact().getId(), dependencyNode.getArtifact().getScope(), project.getName());
+                    getLog().warn(msg);
                 }
-            } catch (ArtifactResolverException ex) {
+            } else {
+                final String msg = String.format("Unable to resolve '%s' in project %s",
+                        dependencyNode.getArtifact().getId(), project.getName());
+                getLog().debug(msg);
                 if (exCol == null) {
                     exCol = new ExceptionCollection();
                 }
-                exCol.addException(ex);
             }
         }
 
@@ -871,6 +894,66 @@ private ExceptionCollection collectDependencies(Engine engine, MavenProject proj
         return exCol;
     }
 
+    /**
+     * Checks if the current artifact is actually in the reactor projects that
+     * have not yet been built. If true a virtual dependency is created based on
+     * the evidence in the project.
+     *
+     * @param engine a reference to the engine being used to scan
+     * @param artifact the artifact being analyzed in the mojo
+     * @return <code>true</code> if the artifact is in the reactor; otherwise
+     * <code>false</code>
+     */
+    private boolean addReactorDependency(Engine engine, Artifact artifact) {
+        for (MavenProject project : reactorProjects) {
+            if (project.getArtifactId().equals(artifact.getArtifactId())
+                    && project.getGroupId().equals(artifact.getGroupId())
+                    && project.getVersion().equals(artifact.getVersion())) {
+
+                final String displayName = String.format("%s:%s:%s",
+                        project.getGroupId(), project.getArtifactId(), project.getVersion());
+                getLog().info(String.format("Unable to resolve %s as it has not been built yet - creating a virtual dependency instead.", displayName));
+                File pom = new File(project.getBasedir(), "pom.xml");
+                Dependency d;
+                if (pom.isFile()) {
+                    d = new Dependency(pom, true);
+                } else {
+                    d = new Dependency(true);
+                }
+                d.setDisplayFileName(displayName);
+
+                d.addEvidence(EvidenceType.PRODUCT, "project", "artifactid", project.getArtifactId(), Confidence.HIGHEST);
+                d.addEvidence(EvidenceType.VENDOR, "project", "artifactid", project.getArtifactId(), Confidence.LOW);
+
+                d.addEvidence(EvidenceType.VENDOR, "project", "groupid", project.getGroupId(), Confidence.HIGHEST);
+                d.addEvidence(EvidenceType.PRODUCT, "project", "groupid", project.getGroupId(), Confidence.LOW);
+                d.setEcosystem(JarAnalyzer.DEPENDENCY_ECOSYSTEM);
+                //TODO unify the setName/version and package path - they are equivelent ideas submitted by two seperate committers
+                d.setName(String.format("%s:%s", project.getGroupId(), project.getArtifactId()));
+                d.setVersion(project.getVersion());
+                d.setPackagePath(displayName);
+                JarAnalyzer.addDescription(d, project.getDescription(), "project", "description");
+                for (License l : project.getLicenses()) {
+                    StringBuilder license = new StringBuilder();
+                    if (l.getName() != null) {
+                        license.append(l.getName());
+                    }
+                    if (l.getUrl() != null) {
+                        license.append(" ").append(l.getUrl());
+                    }
+                    if (d.getLicense() == null) {
+                        d.setLicense(license.toString());
+                    } else if (!d.getLicense().contains(license)) {
+                        d.setLicense(String.format("%s%n%s", d.getLicense(), license.toString()));
+                    }
+                }
+                engine.addDependency(d);
+                return true;
+            }
+        }
+        return false;
+    }
+    
     /**
      * Determines if the groupId, artifactId, and version of the Maven
      * dependency and artifact match.
@@ -975,7 +1058,8 @@ protected void runCheck() throws MojoExecutionException, MojoFailureException {
      * @param currentEx the primary exception collection
      * @param newEx the new exception collection to add
      * @return the combined exception collection
-     * @throws MojoExecutionException thrown if dependency-check is configured to fail on errors
+     * @throws MojoExecutionException thrown if dependency-check is configured
+     * to fail on errors
      */
     private ExceptionCollection handleAnalysisExceptions(ExceptionCollection currentEx, ExceptionCollection newEx) throws MojoExecutionException {
         ExceptionCollection returnEx = currentEx;
@@ -1453,4 +1537,5 @@ protected String getOutputDirectoryContextKey() {
     }
 
     //</editor-fold>
+    
 }

From c929220117eebc6e8dd0c995fc52fc7f4e467d42 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Mon, 30 Apr 2018 07:03:13 -0400
Subject: [PATCH 09/36] fix test case

---
 maven/src/it/740-aggregate/invoker.properties | 2 +-
 maven/src/it/740-aggregate/pom.xml            | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/maven/src/it/740-aggregate/invoker.properties b/maven/src/it/740-aggregate/invoker.properties
index fe31f576949..c32d994a16a 100644
--- a/maven/src/it/740-aggregate/invoker.properties
+++ b/maven/src/it/740-aggregate/invoker.properties
@@ -16,4 +16,4 @@
 # Copyright (c) 2014 Jeremy Long. All Rights Reserved.
 #
 
-invoker.goals = install ${project.groupId}:${project.artifactId}:${project.version}:check -X -T 10
+invoker.goals = install -X
diff --git a/maven/src/it/740-aggregate/pom.xml b/maven/src/it/740-aggregate/pom.xml
index 73a17227886..98ae44a22ca 100644
--- a/maven/src/it/740-aggregate/pom.xml
+++ b/maven/src/it/740-aggregate/pom.xml
@@ -19,7 +19,7 @@ Copyright (c) 2018 Jeremy Long. All Rights Reserved.
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
     <modelVersion>4.0.0</modelVersion>
     <groupId>org.owasp.test</groupId>
-    <artifactId>threaded-parent</artifactId>
+    <artifactId>aggregate-parent</artifactId>
     <version>1.0.0-SNAPSHOT</version>
     <packaging>pom</packaging>
     <modules>

From 0b84b096d605ccfc2758bcb89ff20f65a96b1707 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Tue, 1 May 2018 06:55:08 -0400
Subject: [PATCH 10/36] removed debug logging

---
 maven/src/it/617-hierarchical-cross-deps/invoker.properties   | 2 +-
 maven/src/it/618-aggregator-purge/invoker.properties          | 4 ++--
 maven/src/it/618-aggregator-update-only/invoker.properties    | 2 +-
 maven/src/it/629-jackson-dataformat/invoker.properties        | 2 +-
 maven/src/it/690-threadsafety/invoker.properties              | 2 +-
 maven/src/it/710-pom-parse-error/invoker.properties           | 2 +-
 maven/src/it/729-system-scope-resolved/invoker.properties     | 2 +-
 maven/src/it/729-system-scope-skipped/invoker.properties      | 2 +-
 .../730-multiple-suppression-files-configs/invoker.properties | 2 +-
 .../src/it/730-multiple-suppression-files/invoker.properties  | 2 +-
 .../it/815-broken-suppression-aggregate/invoker.properties    | 2 +-
 maven/src/it/846-site-plugin/invoker.properties               | 2 +-
 maven/src/it/false-positives/invoker.properties               | 2 +-
 13 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/maven/src/it/617-hierarchical-cross-deps/invoker.properties b/maven/src/it/617-hierarchical-cross-deps/invoker.properties
index 29b334c9e85..15acf9ef50c 100644
--- a/maven/src/it/617-hierarchical-cross-deps/invoker.properties
+++ b/maven/src/it/617-hierarchical-cross-deps/invoker.properties
@@ -16,4 +16,4 @@
 # Copyright (c) 2014 Jeremy Long. All Rights Reserved.
 #
 
-invoker.goals = install -Danalyzer.central.enabled=false ${project.groupId}:${project.artifactId}:${project.version}:check -X
+invoker.goals = install -Danalyzer.central.enabled=false ${project.groupId}:${project.artifactId}:${project.version}:check
diff --git a/maven/src/it/618-aggregator-purge/invoker.properties b/maven/src/it/618-aggregator-purge/invoker.properties
index 46c174d8e25..0f5be4e07c1 100644
--- a/maven/src/it/618-aggregator-purge/invoker.properties
+++ b/maven/src/it/618-aggregator-purge/invoker.properties
@@ -16,5 +16,5 @@
 # Copyright (c) 2014 Jeremy Long. All Rights Reserved.
 #
 
-invoker.goals.1 = ${project.groupId}:${project.artifactId}:${project.version}:update-only -DdataDirectory=./data -Dcve.startyear=2017 -X
-invoker.goals.2 = ${project.groupId}:${project.artifactId}:${project.version}:purge -DdataDirectory=./data -X
+invoker.goals.1 = ${project.groupId}:${project.artifactId}:${project.version}:update-only -DdataDirectory=./data -Dcve.startyear=2018
+invoker.goals.2 = ${project.groupId}:${project.artifactId}:${project.version}:purge -DdataDirectory=./data
diff --git a/maven/src/it/618-aggregator-update-only/invoker.properties b/maven/src/it/618-aggregator-update-only/invoker.properties
index 1702ed25f31..b85d53e394d 100644
--- a/maven/src/it/618-aggregator-update-only/invoker.properties
+++ b/maven/src/it/618-aggregator-update-only/invoker.properties
@@ -16,4 +16,4 @@
 # Copyright (c) 2014 Jeremy Long. All Rights Reserved.
 #
 
-invoker.goals = -Danalyzer.central.enabled=false ${project.groupId}:${project.artifactId}:${project.version}:update-only -X
\ No newline at end of file
+invoker.goals = -Danalyzer.central.enabled=false ${project.groupId}:${project.artifactId}:${project.version}:update-only
\ No newline at end of file
diff --git a/maven/src/it/629-jackson-dataformat/invoker.properties b/maven/src/it/629-jackson-dataformat/invoker.properties
index 6633267fe92..c199d2648d6 100644
--- a/maven/src/it/629-jackson-dataformat/invoker.properties
+++ b/maven/src/it/629-jackson-dataformat/invoker.properties
@@ -16,4 +16,4 @@
 # Copyright (c) 2014 Jeremy Long. All Rights Reserved.
 #
 
-invoker.goals = install -Danalyzer.central.enabled=false ${project.groupId}:${project.artifactId}:${project.version}:check -X -Dformat=ALL
+invoker.goals = install -Danalyzer.central.enabled=false ${project.groupId}:${project.artifactId}:${project.version}:check -Dformat=ALL
diff --git a/maven/src/it/690-threadsafety/invoker.properties b/maven/src/it/690-threadsafety/invoker.properties
index 092fcbae279..141d562632b 100644
--- a/maven/src/it/690-threadsafety/invoker.properties
+++ b/maven/src/it/690-threadsafety/invoker.properties
@@ -16,4 +16,4 @@
 # Copyright (c) 2014 Jeremy Long. All Rights Reserved.
 #
 
-invoker.goals = install -Danalyzer.central.enabled=false ${project.groupId}:${project.artifactId}:${project.version}:check -X -T 10
+invoker.goals = install -Danalyzer.central.enabled=false ${project.groupId}:${project.artifactId}:${project.version}:check -T 10
diff --git a/maven/src/it/710-pom-parse-error/invoker.properties b/maven/src/it/710-pom-parse-error/invoker.properties
index 6633267fe92..c199d2648d6 100644
--- a/maven/src/it/710-pom-parse-error/invoker.properties
+++ b/maven/src/it/710-pom-parse-error/invoker.properties
@@ -16,4 +16,4 @@
 # Copyright (c) 2014 Jeremy Long. All Rights Reserved.
 #
 
-invoker.goals = install -Danalyzer.central.enabled=false ${project.groupId}:${project.artifactId}:${project.version}:check -X -Dformat=ALL
+invoker.goals = install -Danalyzer.central.enabled=false ${project.groupId}:${project.artifactId}:${project.version}:check -Dformat=ALL
diff --git a/maven/src/it/729-system-scope-resolved/invoker.properties b/maven/src/it/729-system-scope-resolved/invoker.properties
index 33d42889112..a074ced3027 100644
--- a/maven/src/it/729-system-scope-resolved/invoker.properties
+++ b/maven/src/it/729-system-scope-resolved/invoker.properties
@@ -16,4 +16,4 @@
 # Copyright (c) 2017 Jeremy Long. All Rights Reserved.
 #
 
-invoker.goals = install -Danalyzer.central.enabled=false ${project.groupId}:${project.artifactId}:${project.version}:check -X -Dformat=JSON
+invoker.goals = install -Danalyzer.central.enabled=false ${project.groupId}:${project.artifactId}:${project.version}:check -Dformat=JSON
diff --git a/maven/src/it/729-system-scope-skipped/invoker.properties b/maven/src/it/729-system-scope-skipped/invoker.properties
index 73d14647084..f65174ea36e 100644
--- a/maven/src/it/729-system-scope-skipped/invoker.properties
+++ b/maven/src/it/729-system-scope-skipped/invoker.properties
@@ -16,4 +16,4 @@
 # Copyright (c) 2014 Jeremy Long. All Rights Reserved.
 #
 
-invoker.goals = install -Danalyzer.central.enabled=false ${project.groupId}:${project.artifactId}:${project.version}:check -DskipSystemScope=true -Dformat=JSON -X
+invoker.goals = install -Danalyzer.central.enabled=false ${project.groupId}:${project.artifactId}:${project.version}:check -DskipSystemScope=true -Dformat=JSON
diff --git a/maven/src/it/730-multiple-suppression-files-configs/invoker.properties b/maven/src/it/730-multiple-suppression-files-configs/invoker.properties
index 9ca2f4cf476..677897a3d8b 100644
--- a/maven/src/it/730-multiple-suppression-files-configs/invoker.properties
+++ b/maven/src/it/730-multiple-suppression-files-configs/invoker.properties
@@ -15,4 +15,4 @@
 #
 # Copyright (c) 2017 The OWASP Foundation. All Rights Reserved.
 #
-invoker.goals = install -Danalyzer.central.enabled=false ${project.groupId}:${project.artifactId}:${project.version}:check -X
+invoker.goals = install -Danalyzer.central.enabled=false ${project.groupId}:${project.artifactId}:${project.version}:check
diff --git a/maven/src/it/730-multiple-suppression-files/invoker.properties b/maven/src/it/730-multiple-suppression-files/invoker.properties
index 9ca2f4cf476..677897a3d8b 100644
--- a/maven/src/it/730-multiple-suppression-files/invoker.properties
+++ b/maven/src/it/730-multiple-suppression-files/invoker.properties
@@ -15,4 +15,4 @@
 #
 # Copyright (c) 2017 The OWASP Foundation. All Rights Reserved.
 #
-invoker.goals = install -Danalyzer.central.enabled=false ${project.groupId}:${project.artifactId}:${project.version}:check -X
+invoker.goals = install -Danalyzer.central.enabled=false ${project.groupId}:${project.artifactId}:${project.version}:check
diff --git a/maven/src/it/815-broken-suppression-aggregate/invoker.properties b/maven/src/it/815-broken-suppression-aggregate/invoker.properties
index 34b99036143..b47175cd8ac 100644
--- a/maven/src/it/815-broken-suppression-aggregate/invoker.properties
+++ b/maven/src/it/815-broken-suppression-aggregate/invoker.properties
@@ -16,4 +16,4 @@
 # Copyright (c) 2017 The OWASP Foundation. All Rights Reserved.
 #
 invoker.buildResult = failure
-invoker.goals = install -Danalyzer.central.enabled=false ${project.groupId}:${project.artifactId}:${project.version}:aggregate -X
+invoker.goals = install -Danalyzer.central.enabled=false ${project.groupId}:${project.artifactId}:${project.version}:aggregate
diff --git a/maven/src/it/846-site-plugin/invoker.properties b/maven/src/it/846-site-plugin/invoker.properties
index 2010c6d669c..11bb9d2052b 100644
--- a/maven/src/it/846-site-plugin/invoker.properties
+++ b/maven/src/it/846-site-plugin/invoker.properties
@@ -15,4 +15,4 @@
 #
 # Copyright (c) 2017 The OWASP Foundation. All Rights Reserved.
 #
-invoker.goals = site -Danalyzer.central.enabled=false -Dodcversion=${project.version} -X
+invoker.goals = site -Danalyzer.central.enabled=false -Dodcversion=${project.version}
diff --git a/maven/src/it/false-positives/invoker.properties b/maven/src/it/false-positives/invoker.properties
index 6633267fe92..c199d2648d6 100644
--- a/maven/src/it/false-positives/invoker.properties
+++ b/maven/src/it/false-positives/invoker.properties
@@ -16,4 +16,4 @@
 # Copyright (c) 2014 Jeremy Long. All Rights Reserved.
 #
 
-invoker.goals = install -Danalyzer.central.enabled=false ${project.groupId}:${project.artifactId}:${project.version}:check -X -Dformat=ALL
+invoker.goals = install -Danalyzer.central.enabled=false ${project.groupId}:${project.artifactId}:${project.version}:check -Dformat=ALL

From ee3d1e83044cd8a887465fafcfddecc957c1a02f Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Mon, 30 Apr 2018 06:55:41 -0400
Subject: [PATCH 11/36] fix test case

---
 maven/src/it/740-aggregate/invoker.properties | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/maven/src/it/740-aggregate/invoker.properties b/maven/src/it/740-aggregate/invoker.properties
index c32d994a16a..b5087cc941d 100644
--- a/maven/src/it/740-aggregate/invoker.properties
+++ b/maven/src/it/740-aggregate/invoker.properties
@@ -16,4 +16,4 @@
 # Copyright (c) 2014 Jeremy Long. All Rights Reserved.
 #
 
-invoker.goals = install -X
+invoker.goals = verify -X

From 5f10ff7fb3bb8aecd60f19fd647a433a6f943b77 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Mon, 30 Apr 2018 06:56:10 -0400
Subject: [PATCH 12/36] update to create virtual dependencies

---
 .../dependency/Dependency.java                |  11 +
 .../maven/BaseDependencyCheckMojo.java        | 235 ++++++++++++------
 2 files changed, 171 insertions(+), 75 deletions(-)

diff --git a/core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java b/core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
index f84514188a9..ca9ded7d437 100644
--- a/core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
+++ b/core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
@@ -192,6 +192,17 @@ public Dependency(File file, boolean isVirtual) {
         determineHashes(file);
     }
 
+    /**
+     * Constructs a new Dependency object.
+     *
+     * @param isVirtual specifies if the dependency is virtual indicating the
+     * file doesn't actually exist.
+     */
+    public Dependency(boolean isVirtual) {
+        this();
+        this.isVirtual = isVirtual;
+    }
+
     /**
      * Returns the file name of the dependency.
      *
diff --git a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
index 539d8f0315a..6bf76601785 100644
--- a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
+++ b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
@@ -29,6 +29,7 @@
 import org.apache.maven.artifact.versioning.ArtifactVersion;
 import org.apache.maven.doxia.sink.Sink;
 import org.apache.maven.execution.MavenSession;
+import org.apache.maven.model.License;
 import org.apache.maven.plugin.AbstractMojo;
 import org.apache.maven.plugin.MojoExecutionException;
 import org.apache.maven.plugin.MojoFailureException;
@@ -51,10 +52,12 @@
 import org.apache.maven.shared.model.fileset.FileSet;
 import org.apache.maven.shared.model.fileset.util.FileSetManager;
 import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.JarAnalyzer;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.EvidenceType;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.dependency.Vulnerability;
 import org.owasp.dependencycheck.exception.DependencyNotFoundException;
@@ -152,9 +155,9 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
     @Parameter(defaultValue = "${project.build.directory}", required = true)
     private File outputDirectory;
     /**
-     * This is a reference to the &gt;reporting&lt; sections <code>outputDirectory</code>.
-     * This cannot be configured in the dependency-check mojo directly.
-     * This generally maps to "target/site".
+     * This is a reference to the &gt;reporting&lt; sections
+     * <code>outputDirectory</code>. This cannot be configured in the
+     * dependency-check mojo directly. This generally maps to "target/site".
      */
     @Parameter(property = "project.reporting.outputDirectory", readonly = true)
     private File reportOutputDirectory;
@@ -228,7 +231,8 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
     @Parameter(property = "connectionTimeout", defaultValue = "", required = false)
     private String connectionTimeout;
     /**
-     * Sets whether dependency-check should check if there is a new version available.
+     * Sets whether dependency-check should check if there is a new version
+     * available.
      */
     @SuppressWarnings("CanBeFinal")
     @Parameter(property = "versionCheckEnabled", defaultValue = "true", required = false)
@@ -719,11 +723,25 @@ protected File getCorrectOutputDirectory(MavenProject current) {
      * and scanning the dependencies
      */
     protected ExceptionCollection scanArtifacts(MavenProject project, Engine engine) {
+        return scanArtifacts(project, engine, false);
+    }
+
+    /**
+     * Scans the project's artifacts and adds them to the engine's dependency
+     * list.
+     *
+     * @param project the project to scan the dependencies of
+     * @param engine the engine to use to scan the dependencies
+     * @param aggregate whether the scan is part of an aggregate build
+     * @return a collection of exceptions that may have occurred while resolving
+     * and scanning the dependencies
+     */
+    protected ExceptionCollection scanArtifacts(MavenProject project, Engine engine, boolean aggregate) {
         try {
             final ProjectBuildingRequest buildingRequest = newResolveArtifactProjectBuildingRequest();
             buildingRequest.setProject(project);
             final DependencyNode dn = dependencyGraphBuilder.buildDependencyGraph(buildingRequest, null, reactorProjects);
-            return collectDependencies(engine, project, dn.getChildren(), buildingRequest);
+            return collectDependencies(engine, project, dn.getChildren(), buildingRequest, aggregate);
         } catch (DependencyGraphBuilderException ex) {
             final String msg = String.format("Unable to build dependency graph on project %s", project.getName());
             getLog().debug(msg, ex);
@@ -740,101 +758,106 @@ protected ExceptionCollection scanArtifacts(MavenProject project, Engine engine)
      * @param nodes the list of dependency nodes, generally obtained via the
      * DependencyGraphBuilder
      * @param buildingRequest the Maven project building request
+     * @param aggregate whether the scan is part of an aggregate build
      * @return a collection of exceptions that may have occurred while resolving
      * and scanning the dependencies
      */
     private ExceptionCollection collectDependencies(Engine engine, MavenProject project,
-            List<DependencyNode> nodes, ProjectBuildingRequest buildingRequest) {
+            List<DependencyNode> nodes, ProjectBuildingRequest buildingRequest, boolean aggregate) {
         ExceptionCollection exCol = null;
         for (DependencyNode dependencyNode : nodes) {
             if (artifactScopeExcluded.passes(dependencyNode.getArtifact().getScope())
                     || artifactTypeExcluded.passes(dependencyNode.getArtifact().getType())) {
                 continue;
             }
-            exCol = collectDependencies(engine, project, dependencyNode.getChildren(), buildingRequest);
-            try {
-                boolean isResolved = false;
-                File artifactFile = null;
-                String artifactId = null;
-                String groupId = null;
-                String version = null;
-                List<ArtifactVersion> availableVersions = null;
-                if (org.apache.maven.artifact.Artifact.SCOPE_SYSTEM.equals(dependencyNode.getArtifact().getScope())) {
-                    for (org.apache.maven.model.Dependency d : project.getDependencies()) {
-                        final Artifact a = dependencyNode.getArtifact();
-                        if (d.getSystemPath() != null && artifactsMatch(d, a)) {
-
-                            artifactFile = new File(d.getSystemPath());
-                            isResolved = artifactFile.isFile();
-                            groupId = a.getGroupId();
-                            artifactId = a.getArtifactId();
-                            version = a.getVersion();
-                            availableVersions = a.getAvailableVersions();
-                            break;
-                        }
+            exCol = collectDependencies(engine, project, dependencyNode.getChildren(), buildingRequest, aggregate);
+            boolean isResolved = false;
+            File artifactFile = null;
+            String artifactId = null;
+            String groupId = null;
+            String version = null;
+            List<ArtifactVersion> availableVersions = null;
+            if (org.apache.maven.artifact.Artifact.SCOPE_SYSTEM.equals(dependencyNode.getArtifact().getScope())) {
+                for (org.apache.maven.model.Dependency d : project.getDependencies()) {
+                    final Artifact a = dependencyNode.getArtifact();
+                    if (d.getSystemPath() != null && artifactsMatch(d, a)) {
+
+                        artifactFile = new File(d.getSystemPath());
+                        isResolved = artifactFile.isFile();
+                        groupId = a.getGroupId();
+                        artifactId = a.getArtifactId();
+                        version = a.getVersion();
+                        availableVersions = a.getAvailableVersions();
+                        break;
+                    }
+                }
+                if (!isResolved) {
+                    getLog().error("Unable to resolve system scoped dependency: " + dependencyNode.toNodeString());
+                    if (exCol == null) {
+                        exCol = new ExceptionCollection();
                     }
-                    if (!isResolved) {
-                        getLog().error("Unable to resolve system scoped dependency: " + dependencyNode.toNodeString());
+                    exCol.addException(new DependencyNotFoundException("Unable to resolve system scoped dependency: "
+                            + dependencyNode.toNodeString()));
+                }
+            } else {
+                final ArtifactCoordinate coordinate = TransferUtils.toArtifactCoordinate(dependencyNode.getArtifact());
+                final Artifact result;
+                try {
+                    result = artifactResolver.resolveArtifact(buildingRequest, coordinate).getArtifact();
+                } catch (ArtifactResolverException ex) {
+                    if (!aggregate || addReactorDependency(engine, dependencyNode.getArtifact())) {
                         if (exCol == null) {
                             exCol = new ExceptionCollection();
                         }
-                        exCol.addException(new DependencyNotFoundException("Unable to resolve system scoped dependency: "
-                                + dependencyNode.toNodeString()));
                     }
-                } else {
-                    final ArtifactCoordinate coordinate = TransferUtils.toArtifactCoordinate(dependencyNode.getArtifact());
-                    final Artifact result = artifactResolver.resolveArtifact(buildingRequest, coordinate).getArtifact();
-                    isResolved = result.isResolved();
-                    artifactFile = result.getFile();
-                    groupId = result.getGroupId();
-                    artifactId = result.getArtifactId();
-                    version = result.getVersion();
-                    availableVersions = result.getAvailableVersions();
+                    exCol.addException(ex);
+                    continue;
                 }
-                if (isResolved && artifactFile != null) {
-                    final List<Dependency> deps = engine.scan(artifactFile.getAbsoluteFile(),
-                            project.getName() + ":" + dependencyNode.getArtifact().getScope());
-                    if (deps != null) {
-                        if (deps.size() == 1) {
-                            final Dependency d = deps.get(0);
-                            if (d != null) {
-                                final MavenArtifact ma = new MavenArtifact(groupId, artifactId, version);
-                                d.addAsEvidence("pom", ma, Confidence.HIGHEST);
-                                if (availableVersions != null) {
-                                    for (ArtifactVersion av : availableVersions) {
-                                        d.addAvailableVersion(av.toString());
-                                    }
+                isResolved = result.isResolved();
+                artifactFile = result.getFile();
+                groupId = result.getGroupId();
+                artifactId = result.getArtifactId();
+                version = result.getVersion();
+                availableVersions = result.getAvailableVersions();
+            }
+            if (isResolved && artifactFile != null) {
+                final List<Dependency> deps = engine.scan(artifactFile.getAbsoluteFile(),
+                        project.getName() + ":" + dependencyNode.getArtifact().getScope());
+                if (deps != null) {
+                    if (deps.size() == 1) {
+                        final Dependency d = deps.get(0);
+                        if (d != null) {
+                            final MavenArtifact ma = new MavenArtifact(groupId, artifactId, version);
+                            d.addAsEvidence("pom", ma, Confidence.HIGHEST);
+                            if (availableVersions != null) {
+                                for (ArtifactVersion av : availableVersions) {
+                                    d.addAvailableVersion(av.toString());
                                 }
-                                getLog().debug(String.format("Adding project reference %s on dependency %s",
-                                        project.getName(), d.getDisplayFileName()));
                             }
-                        } else if (getLog().isDebugEnabled()) {
-                            final String msg = String.format("More than 1 dependency was identified in first pass scan of '%s' in project %s",
-                                    dependencyNode.getArtifact().getId(), project.getName());
-                            getLog().debug(msg);
+                            getLog().debug(String.format("Adding project reference %s on dependency %s",
+                                    project.getName(), d.getDisplayFileName()));
                         }
-                    } else if ("import".equals(dependencyNode.getArtifact().getScope())) {
-                        final String msg = String.format("Skipping '%s:%s' in project %s as it uses an `import` scope",
-                                dependencyNode.getArtifact().getId(), dependencyNode.getArtifact().getScope(), project.getName());
+                    } else if (getLog().isDebugEnabled()) {
+                        final String msg = String.format("More than 1 dependency was identified in first pass scan of '%s' in project %s",
+                                dependencyNode.getArtifact().getId(), project.getName());
                         getLog().debug(msg);
-                    } else {
-                        final String msg = String.format("No analyzer could be found for '%s:%s' in project %s",
-                                dependencyNode.getArtifact().getId(), dependencyNode.getArtifact().getScope(), project.getName());
-                        getLog().warn(msg);
                     }
-                } else {
-                    final String msg = String.format("Unable to resolve '%s' in project %s",
-                            dependencyNode.getArtifact().getId(), project.getName());
+                } else if ("import".equals(dependencyNode.getArtifact().getScope())) {
+                    final String msg = String.format("Skipping '%s:%s' in project %s as it uses an `import` scope",
+                            dependencyNode.getArtifact().getId(), dependencyNode.getArtifact().getScope(), project.getName());
                     getLog().debug(msg);
-                    if (exCol == null) {
-                        exCol = new ExceptionCollection();
-                    }
+                } else {
+                    final String msg = String.format("No analyzer could be found for '%s:%s' in project %s",
+                            dependencyNode.getArtifact().getId(), dependencyNode.getArtifact().getScope(), project.getName());
+                    getLog().warn(msg);
                 }
-            } catch (ArtifactResolverException ex) {
+            } else {
+                final String msg = String.format("Unable to resolve '%s' in project %s",
+                        dependencyNode.getArtifact().getId(), project.getName());
+                getLog().debug(msg);
                 if (exCol == null) {
                     exCol = new ExceptionCollection();
                 }
-                exCol.addException(ex);
             }
         }
 
@@ -871,6 +894,66 @@ private ExceptionCollection collectDependencies(Engine engine, MavenProject proj
         return exCol;
     }
 
+    /**
+     * Checks if the current artifact is actually in the reactor projects that
+     * have not yet been built. If true a virtual dependency is created based on
+     * the evidence in the project.
+     *
+     * @param engine a reference to the engine being used to scan
+     * @param artifact the artifact being analyzed in the mojo
+     * @return <code>true</code> if the artifact is in the reactor; otherwise
+     * <code>false</code>
+     */
+    private boolean addReactorDependency(Engine engine, Artifact artifact) {
+        for (MavenProject project : reactorProjects) {
+            if (project.getArtifactId().equals(artifact.getArtifactId())
+                    && project.getGroupId().equals(artifact.getGroupId())
+                    && project.getVersion().equals(artifact.getVersion())) {
+
+                final String displayName = String.format("%s:%s:%s",
+                        project.getGroupId(), project.getArtifactId(), project.getVersion());
+                getLog().info(String.format("Unable to resolve %s as it has not been built yet - creating a virtual dependency instead.", displayName));
+                File pom = new File(project.getBasedir(), "pom.xml");
+                Dependency d;
+                if (pom.isFile()) {
+                    d = new Dependency(pom, true);
+                } else {
+                    d = new Dependency(true);
+                }
+                d.setDisplayFileName(displayName);
+
+                d.addEvidence(EvidenceType.PRODUCT, "project", "artifactid", project.getArtifactId(), Confidence.HIGHEST);
+                d.addEvidence(EvidenceType.VENDOR, "project", "artifactid", project.getArtifactId(), Confidence.LOW);
+
+                d.addEvidence(EvidenceType.VENDOR, "project", "groupid", project.getGroupId(), Confidence.HIGHEST);
+                d.addEvidence(EvidenceType.PRODUCT, "project", "groupid", project.getGroupId(), Confidence.LOW);
+                d.setEcosystem(JarAnalyzer.DEPENDENCY_ECOSYSTEM);
+                //TODO unify the setName/version and package path - they are equivelent ideas submitted by two seperate committers
+                d.setName(String.format("%s:%s", project.getGroupId(), project.getArtifactId()));
+                d.setVersion(project.getVersion());
+                d.setPackagePath(displayName);
+                JarAnalyzer.addDescription(d, project.getDescription(), "project", "description");
+                for (License l : project.getLicenses()) {
+                    StringBuilder license = new StringBuilder();
+                    if (l.getName() != null) {
+                        license.append(l.getName());
+                    }
+                    if (l.getUrl() != null) {
+                        license.append(" ").append(l.getUrl());
+                    }
+                    if (d.getLicense() == null) {
+                        d.setLicense(license.toString());
+                    } else if (!d.getLicense().contains(license)) {
+                        d.setLicense(String.format("%s%n%s", d.getLicense(), license.toString()));
+                    }
+                }
+                engine.addDependency(d);
+                return true;
+            }
+        }
+        return false;
+    }
+    
     /**
      * Determines if the groupId, artifactId, and version of the Maven
      * dependency and artifact match.
@@ -975,7 +1058,8 @@ protected void runCheck() throws MojoExecutionException, MojoFailureException {
      * @param currentEx the primary exception collection
      * @param newEx the new exception collection to add
      * @return the combined exception collection
-     * @throws MojoExecutionException thrown if dependency-check is configured to fail on errors
+     * @throws MojoExecutionException thrown if dependency-check is configured
+     * to fail on errors
      */
     private ExceptionCollection handleAnalysisExceptions(ExceptionCollection currentEx, ExceptionCollection newEx) throws MojoExecutionException {
         ExceptionCollection returnEx = currentEx;
@@ -1453,4 +1537,5 @@ protected String getOutputDirectoryContextKey() {
     }
 
     //</editor-fold>
+    
 }

From 916ff90bb58f5975945f17034640691cc6614ea5 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Tue, 1 May 2018 07:09:31 -0400
Subject: [PATCH 13/36] add logging output for 740

---
 .travis.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.travis.yml b/.travis.yml
index 3a09c560e72..6eda4cbb437 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -49,6 +49,7 @@ after_success:
     fi;
 
 after_failure:
+    - cat /home/travis/build/jeremylong/DependencyCheck/maven/target/it/740-aggregate/build.log
     - cat /home/travis/build/jeremylong/DependencyCheck/maven/target/it/617-hierarchical-cross-deps/build.log
     - cat /home/travis/build/jeremylong/DependencyCheck/maven/target/it/618-aggregator-purge/build.log
     - cat /home/travis/build/jeremylong/DependencyCheck/maven/target/it/618-aggregator-update-only/build.log

From 894fc8d0ca553d5e1a8aaa704a4129542498b902 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Wed, 2 May 2018 05:50:05 -0400
Subject: [PATCH 14/36] fix test case

---
 maven/src/it/740-aggregate/first/pom.xml  | 2 +-
 maven/src/it/740-aggregate/second/pom.xml | 2 +-
 maven/src/it/740-aggregate/third/pom.xml  | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/maven/src/it/740-aggregate/first/pom.xml b/maven/src/it/740-aggregate/first/pom.xml
index ec008957d09..37e6e8b18ee 100644
--- a/maven/src/it/740-aggregate/first/pom.xml
+++ b/maven/src/it/740-aggregate/first/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
     <modelVersion>4.0.0</modelVersion>
     <parent>
         <groupId>org.owasp.test</groupId>
-        <artifactId>threaded-parent</artifactId>
+        <artifactId>aggregate-parent</artifactId>
         <version>1.0.0-SNAPSHOT</version>
     </parent>
     <artifactId>first</artifactId>
diff --git a/maven/src/it/740-aggregate/second/pom.xml b/maven/src/it/740-aggregate/second/pom.xml
index 710eace2e07..e24fead1e38 100644
--- a/maven/src/it/740-aggregate/second/pom.xml
+++ b/maven/src/it/740-aggregate/second/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
     <modelVersion>4.0.0</modelVersion>
     <parent>
         <groupId>org.owasp.test</groupId>
-        <artifactId>threaded-parent</artifactId>
+        <artifactId>aggregate-parent</artifactId>
         <version>1.0.0-SNAPSHOT</version>
     </parent>
     <artifactId>second</artifactId>
diff --git a/maven/src/it/740-aggregate/third/pom.xml b/maven/src/it/740-aggregate/third/pom.xml
index a36ca6f3fb9..3bfa07e7337 100644
--- a/maven/src/it/740-aggregate/third/pom.xml
+++ b/maven/src/it/740-aggregate/third/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
     <modelVersion>4.0.0</modelVersion>
     <parent>
         <groupId>org.owasp.test</groupId>
-        <artifactId>threaded-parent</artifactId>
+        <artifactId>aggregate-parent</artifactId>
         <version>1.0.0-SNAPSHOT</version>
     </parent>
     <artifactId>third</artifactId>

From 9498f2c17f56a39bc274749393299abf1437202e Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Wed, 2 May 2018 05:50:36 -0400
Subject: [PATCH 15/36] update test case

---
 maven/src/it/740-aggregate/invoker.properties | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/maven/src/it/740-aggregate/invoker.properties b/maven/src/it/740-aggregate/invoker.properties
index c32d994a16a..b5087cc941d 100644
--- a/maven/src/it/740-aggregate/invoker.properties
+++ b/maven/src/it/740-aggregate/invoker.properties
@@ -16,4 +16,4 @@
 # Copyright (c) 2014 Jeremy Long. All Rights Reserved.
 #
 
-invoker.goals = install -X
+invoker.goals = verify -X

From 86b0ce360a0a4f6425a7daa71904dbd261c075fb Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Mon, 30 Apr 2018 06:56:10 -0400
Subject: [PATCH 16/36] update to create virtual dependencies

---
 .../dependency/Dependency.java                |  11 +
 .../maven/BaseDependencyCheckMojo.java        | 235 ++++++++++++------
 2 files changed, 171 insertions(+), 75 deletions(-)

diff --git a/core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java b/core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
index f84514188a9..ca9ded7d437 100644
--- a/core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
+++ b/core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
@@ -192,6 +192,17 @@ public Dependency(File file, boolean isVirtual) {
         determineHashes(file);
     }
 
+    /**
+     * Constructs a new Dependency object.
+     *
+     * @param isVirtual specifies if the dependency is virtual indicating the
+     * file doesn't actually exist.
+     */
+    public Dependency(boolean isVirtual) {
+        this();
+        this.isVirtual = isVirtual;
+    }
+
     /**
      * Returns the file name of the dependency.
      *
diff --git a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
index 539d8f0315a..6bf76601785 100644
--- a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
+++ b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
@@ -29,6 +29,7 @@
 import org.apache.maven.artifact.versioning.ArtifactVersion;
 import org.apache.maven.doxia.sink.Sink;
 import org.apache.maven.execution.MavenSession;
+import org.apache.maven.model.License;
 import org.apache.maven.plugin.AbstractMojo;
 import org.apache.maven.plugin.MojoExecutionException;
 import org.apache.maven.plugin.MojoFailureException;
@@ -51,10 +52,12 @@
 import org.apache.maven.shared.model.fileset.FileSet;
 import org.apache.maven.shared.model.fileset.util.FileSetManager;
 import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.JarAnalyzer;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.EvidenceType;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.dependency.Vulnerability;
 import org.owasp.dependencycheck.exception.DependencyNotFoundException;
@@ -152,9 +155,9 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
     @Parameter(defaultValue = "${project.build.directory}", required = true)
     private File outputDirectory;
     /**
-     * This is a reference to the &gt;reporting&lt; sections <code>outputDirectory</code>.
-     * This cannot be configured in the dependency-check mojo directly.
-     * This generally maps to "target/site".
+     * This is a reference to the &gt;reporting&lt; sections
+     * <code>outputDirectory</code>. This cannot be configured in the
+     * dependency-check mojo directly. This generally maps to "target/site".
      */
     @Parameter(property = "project.reporting.outputDirectory", readonly = true)
     private File reportOutputDirectory;
@@ -228,7 +231,8 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
     @Parameter(property = "connectionTimeout", defaultValue = "", required = false)
     private String connectionTimeout;
     /**
-     * Sets whether dependency-check should check if there is a new version available.
+     * Sets whether dependency-check should check if there is a new version
+     * available.
      */
     @SuppressWarnings("CanBeFinal")
     @Parameter(property = "versionCheckEnabled", defaultValue = "true", required = false)
@@ -719,11 +723,25 @@ protected File getCorrectOutputDirectory(MavenProject current) {
      * and scanning the dependencies
      */
     protected ExceptionCollection scanArtifacts(MavenProject project, Engine engine) {
+        return scanArtifacts(project, engine, false);
+    }
+
+    /**
+     * Scans the project's artifacts and adds them to the engine's dependency
+     * list.
+     *
+     * @param project the project to scan the dependencies of
+     * @param engine the engine to use to scan the dependencies
+     * @param aggregate whether the scan is part of an aggregate build
+     * @return a collection of exceptions that may have occurred while resolving
+     * and scanning the dependencies
+     */
+    protected ExceptionCollection scanArtifacts(MavenProject project, Engine engine, boolean aggregate) {
         try {
             final ProjectBuildingRequest buildingRequest = newResolveArtifactProjectBuildingRequest();
             buildingRequest.setProject(project);
             final DependencyNode dn = dependencyGraphBuilder.buildDependencyGraph(buildingRequest, null, reactorProjects);
-            return collectDependencies(engine, project, dn.getChildren(), buildingRequest);
+            return collectDependencies(engine, project, dn.getChildren(), buildingRequest, aggregate);
         } catch (DependencyGraphBuilderException ex) {
             final String msg = String.format("Unable to build dependency graph on project %s", project.getName());
             getLog().debug(msg, ex);
@@ -740,101 +758,106 @@ protected ExceptionCollection scanArtifacts(MavenProject project, Engine engine)
      * @param nodes the list of dependency nodes, generally obtained via the
      * DependencyGraphBuilder
      * @param buildingRequest the Maven project building request
+     * @param aggregate whether the scan is part of an aggregate build
      * @return a collection of exceptions that may have occurred while resolving
      * and scanning the dependencies
      */
     private ExceptionCollection collectDependencies(Engine engine, MavenProject project,
-            List<DependencyNode> nodes, ProjectBuildingRequest buildingRequest) {
+            List<DependencyNode> nodes, ProjectBuildingRequest buildingRequest, boolean aggregate) {
         ExceptionCollection exCol = null;
         for (DependencyNode dependencyNode : nodes) {
             if (artifactScopeExcluded.passes(dependencyNode.getArtifact().getScope())
                     || artifactTypeExcluded.passes(dependencyNode.getArtifact().getType())) {
                 continue;
             }
-            exCol = collectDependencies(engine, project, dependencyNode.getChildren(), buildingRequest);
-            try {
-                boolean isResolved = false;
-                File artifactFile = null;
-                String artifactId = null;
-                String groupId = null;
-                String version = null;
-                List<ArtifactVersion> availableVersions = null;
-                if (org.apache.maven.artifact.Artifact.SCOPE_SYSTEM.equals(dependencyNode.getArtifact().getScope())) {
-                    for (org.apache.maven.model.Dependency d : project.getDependencies()) {
-                        final Artifact a = dependencyNode.getArtifact();
-                        if (d.getSystemPath() != null && artifactsMatch(d, a)) {
-
-                            artifactFile = new File(d.getSystemPath());
-                            isResolved = artifactFile.isFile();
-                            groupId = a.getGroupId();
-                            artifactId = a.getArtifactId();
-                            version = a.getVersion();
-                            availableVersions = a.getAvailableVersions();
-                            break;
-                        }
+            exCol = collectDependencies(engine, project, dependencyNode.getChildren(), buildingRequest, aggregate);
+            boolean isResolved = false;
+            File artifactFile = null;
+            String artifactId = null;
+            String groupId = null;
+            String version = null;
+            List<ArtifactVersion> availableVersions = null;
+            if (org.apache.maven.artifact.Artifact.SCOPE_SYSTEM.equals(dependencyNode.getArtifact().getScope())) {
+                for (org.apache.maven.model.Dependency d : project.getDependencies()) {
+                    final Artifact a = dependencyNode.getArtifact();
+                    if (d.getSystemPath() != null && artifactsMatch(d, a)) {
+
+                        artifactFile = new File(d.getSystemPath());
+                        isResolved = artifactFile.isFile();
+                        groupId = a.getGroupId();
+                        artifactId = a.getArtifactId();
+                        version = a.getVersion();
+                        availableVersions = a.getAvailableVersions();
+                        break;
+                    }
+                }
+                if (!isResolved) {
+                    getLog().error("Unable to resolve system scoped dependency: " + dependencyNode.toNodeString());
+                    if (exCol == null) {
+                        exCol = new ExceptionCollection();
                     }
-                    if (!isResolved) {
-                        getLog().error("Unable to resolve system scoped dependency: " + dependencyNode.toNodeString());
+                    exCol.addException(new DependencyNotFoundException("Unable to resolve system scoped dependency: "
+                            + dependencyNode.toNodeString()));
+                }
+            } else {
+                final ArtifactCoordinate coordinate = TransferUtils.toArtifactCoordinate(dependencyNode.getArtifact());
+                final Artifact result;
+                try {
+                    result = artifactResolver.resolveArtifact(buildingRequest, coordinate).getArtifact();
+                } catch (ArtifactResolverException ex) {
+                    if (!aggregate || addReactorDependency(engine, dependencyNode.getArtifact())) {
                         if (exCol == null) {
                             exCol = new ExceptionCollection();
                         }
-                        exCol.addException(new DependencyNotFoundException("Unable to resolve system scoped dependency: "
-                                + dependencyNode.toNodeString()));
                     }
-                } else {
-                    final ArtifactCoordinate coordinate = TransferUtils.toArtifactCoordinate(dependencyNode.getArtifact());
-                    final Artifact result = artifactResolver.resolveArtifact(buildingRequest, coordinate).getArtifact();
-                    isResolved = result.isResolved();
-                    artifactFile = result.getFile();
-                    groupId = result.getGroupId();
-                    artifactId = result.getArtifactId();
-                    version = result.getVersion();
-                    availableVersions = result.getAvailableVersions();
+                    exCol.addException(ex);
+                    continue;
                 }
-                if (isResolved && artifactFile != null) {
-                    final List<Dependency> deps = engine.scan(artifactFile.getAbsoluteFile(),
-                            project.getName() + ":" + dependencyNode.getArtifact().getScope());
-                    if (deps != null) {
-                        if (deps.size() == 1) {
-                            final Dependency d = deps.get(0);
-                            if (d != null) {
-                                final MavenArtifact ma = new MavenArtifact(groupId, artifactId, version);
-                                d.addAsEvidence("pom", ma, Confidence.HIGHEST);
-                                if (availableVersions != null) {
-                                    for (ArtifactVersion av : availableVersions) {
-                                        d.addAvailableVersion(av.toString());
-                                    }
+                isResolved = result.isResolved();
+                artifactFile = result.getFile();
+                groupId = result.getGroupId();
+                artifactId = result.getArtifactId();
+                version = result.getVersion();
+                availableVersions = result.getAvailableVersions();
+            }
+            if (isResolved && artifactFile != null) {
+                final List<Dependency> deps = engine.scan(artifactFile.getAbsoluteFile(),
+                        project.getName() + ":" + dependencyNode.getArtifact().getScope());
+                if (deps != null) {
+                    if (deps.size() == 1) {
+                        final Dependency d = deps.get(0);
+                        if (d != null) {
+                            final MavenArtifact ma = new MavenArtifact(groupId, artifactId, version);
+                            d.addAsEvidence("pom", ma, Confidence.HIGHEST);
+                            if (availableVersions != null) {
+                                for (ArtifactVersion av : availableVersions) {
+                                    d.addAvailableVersion(av.toString());
                                 }
-                                getLog().debug(String.format("Adding project reference %s on dependency %s",
-                                        project.getName(), d.getDisplayFileName()));
                             }
-                        } else if (getLog().isDebugEnabled()) {
-                            final String msg = String.format("More than 1 dependency was identified in first pass scan of '%s' in project %s",
-                                    dependencyNode.getArtifact().getId(), project.getName());
-                            getLog().debug(msg);
+                            getLog().debug(String.format("Adding project reference %s on dependency %s",
+                                    project.getName(), d.getDisplayFileName()));
                         }
-                    } else if ("import".equals(dependencyNode.getArtifact().getScope())) {
-                        final String msg = String.format("Skipping '%s:%s' in project %s as it uses an `import` scope",
-                                dependencyNode.getArtifact().getId(), dependencyNode.getArtifact().getScope(), project.getName());
+                    } else if (getLog().isDebugEnabled()) {
+                        final String msg = String.format("More than 1 dependency was identified in first pass scan of '%s' in project %s",
+                                dependencyNode.getArtifact().getId(), project.getName());
                         getLog().debug(msg);
-                    } else {
-                        final String msg = String.format("No analyzer could be found for '%s:%s' in project %s",
-                                dependencyNode.getArtifact().getId(), dependencyNode.getArtifact().getScope(), project.getName());
-                        getLog().warn(msg);
                     }
-                } else {
-                    final String msg = String.format("Unable to resolve '%s' in project %s",
-                            dependencyNode.getArtifact().getId(), project.getName());
+                } else if ("import".equals(dependencyNode.getArtifact().getScope())) {
+                    final String msg = String.format("Skipping '%s:%s' in project %s as it uses an `import` scope",
+                            dependencyNode.getArtifact().getId(), dependencyNode.getArtifact().getScope(), project.getName());
                     getLog().debug(msg);
-                    if (exCol == null) {
-                        exCol = new ExceptionCollection();
-                    }
+                } else {
+                    final String msg = String.format("No analyzer could be found for '%s:%s' in project %s",
+                            dependencyNode.getArtifact().getId(), dependencyNode.getArtifact().getScope(), project.getName());
+                    getLog().warn(msg);
                 }
-            } catch (ArtifactResolverException ex) {
+            } else {
+                final String msg = String.format("Unable to resolve '%s' in project %s",
+                        dependencyNode.getArtifact().getId(), project.getName());
+                getLog().debug(msg);
                 if (exCol == null) {
                     exCol = new ExceptionCollection();
                 }
-                exCol.addException(ex);
             }
         }
 
@@ -871,6 +894,66 @@ private ExceptionCollection collectDependencies(Engine engine, MavenProject proj
         return exCol;
     }
 
+    /**
+     * Checks if the current artifact is actually in the reactor projects that
+     * have not yet been built. If true a virtual dependency is created based on
+     * the evidence in the project.
+     *
+     * @param engine a reference to the engine being used to scan
+     * @param artifact the artifact being analyzed in the mojo
+     * @return <code>true</code> if the artifact is in the reactor; otherwise
+     * <code>false</code>
+     */
+    private boolean addReactorDependency(Engine engine, Artifact artifact) {
+        for (MavenProject project : reactorProjects) {
+            if (project.getArtifactId().equals(artifact.getArtifactId())
+                    && project.getGroupId().equals(artifact.getGroupId())
+                    && project.getVersion().equals(artifact.getVersion())) {
+
+                final String displayName = String.format("%s:%s:%s",
+                        project.getGroupId(), project.getArtifactId(), project.getVersion());
+                getLog().info(String.format("Unable to resolve %s as it has not been built yet - creating a virtual dependency instead.", displayName));
+                File pom = new File(project.getBasedir(), "pom.xml");
+                Dependency d;
+                if (pom.isFile()) {
+                    d = new Dependency(pom, true);
+                } else {
+                    d = new Dependency(true);
+                }
+                d.setDisplayFileName(displayName);
+
+                d.addEvidence(EvidenceType.PRODUCT, "project", "artifactid", project.getArtifactId(), Confidence.HIGHEST);
+                d.addEvidence(EvidenceType.VENDOR, "project", "artifactid", project.getArtifactId(), Confidence.LOW);
+
+                d.addEvidence(EvidenceType.VENDOR, "project", "groupid", project.getGroupId(), Confidence.HIGHEST);
+                d.addEvidence(EvidenceType.PRODUCT, "project", "groupid", project.getGroupId(), Confidence.LOW);
+                d.setEcosystem(JarAnalyzer.DEPENDENCY_ECOSYSTEM);
+                //TODO unify the setName/version and package path - they are equivelent ideas submitted by two seperate committers
+                d.setName(String.format("%s:%s", project.getGroupId(), project.getArtifactId()));
+                d.setVersion(project.getVersion());
+                d.setPackagePath(displayName);
+                JarAnalyzer.addDescription(d, project.getDescription(), "project", "description");
+                for (License l : project.getLicenses()) {
+                    StringBuilder license = new StringBuilder();
+                    if (l.getName() != null) {
+                        license.append(l.getName());
+                    }
+                    if (l.getUrl() != null) {
+                        license.append(" ").append(l.getUrl());
+                    }
+                    if (d.getLicense() == null) {
+                        d.setLicense(license.toString());
+                    } else if (!d.getLicense().contains(license)) {
+                        d.setLicense(String.format("%s%n%s", d.getLicense(), license.toString()));
+                    }
+                }
+                engine.addDependency(d);
+                return true;
+            }
+        }
+        return false;
+    }
+    
     /**
      * Determines if the groupId, artifactId, and version of the Maven
      * dependency and artifact match.
@@ -975,7 +1058,8 @@ protected void runCheck() throws MojoExecutionException, MojoFailureException {
      * @param currentEx the primary exception collection
      * @param newEx the new exception collection to add
      * @return the combined exception collection
-     * @throws MojoExecutionException thrown if dependency-check is configured to fail on errors
+     * @throws MojoExecutionException thrown if dependency-check is configured
+     * to fail on errors
      */
     private ExceptionCollection handleAnalysisExceptions(ExceptionCollection currentEx, ExceptionCollection newEx) throws MojoExecutionException {
         ExceptionCollection returnEx = currentEx;
@@ -1453,4 +1537,5 @@ protected String getOutputDirectoryContextKey() {
     }
 
     //</editor-fold>
+    
 }

From 758ee32367b5d7bc823ec1bab0f780f112718ade Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Wed, 2 May 2018 06:15:02 -0400
Subject: [PATCH 17/36] added logging

---
 .../maven/BaseDependencyCheckMojo.java        | 36 ++++++++++---------
 1 file changed, 20 insertions(+), 16 deletions(-)

diff --git a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
index 6bf76601785..815f145f4d0 100644
--- a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
+++ b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
@@ -905,15 +905,20 @@ private ExceptionCollection collectDependencies(Engine engine, MavenProject proj
      * <code>false</code>
      */
     private boolean addReactorDependency(Engine engine, Artifact artifact) {
-        for (MavenProject project : reactorProjects) {
-            if (project.getArtifactId().equals(artifact.getArtifactId())
-                    && project.getGroupId().equals(artifact.getGroupId())
-                    && project.getVersion().equals(artifact.getVersion())) {
+        for (MavenProject prj : reactorProjects) {
+
+            getLog().debug(String.format("Comparing %s:%s%s to %s:%s:%s",
+                    artifact.getGroupId(), artifact.getArtifactId(), artifact.getVersion(),
+                    prj.getGroupId(), prj.getArtifactId(), prj.getVersion()));
+
+            if (prj.getArtifactId().equals(artifact.getArtifactId())
+                    && prj.getGroupId().equals(artifact.getGroupId())
+                    && prj.getVersion().equals(artifact.getVersion())) {
 
                 final String displayName = String.format("%s:%s:%s",
-                        project.getGroupId(), project.getArtifactId(), project.getVersion());
+                        prj.getGroupId(), prj.getArtifactId(), prj.getVersion());
                 getLog().info(String.format("Unable to resolve %s as it has not been built yet - creating a virtual dependency instead.", displayName));
-                File pom = new File(project.getBasedir(), "pom.xml");
+                File pom = new File(prj.getBasedir(), "pom.xml");
                 Dependency d;
                 if (pom.isFile()) {
                     d = new Dependency(pom, true);
@@ -922,18 +927,18 @@ private boolean addReactorDependency(Engine engine, Artifact artifact) {
                 }
                 d.setDisplayFileName(displayName);
 
-                d.addEvidence(EvidenceType.PRODUCT, "project", "artifactid", project.getArtifactId(), Confidence.HIGHEST);
-                d.addEvidence(EvidenceType.VENDOR, "project", "artifactid", project.getArtifactId(), Confidence.LOW);
+                d.addEvidence(EvidenceType.PRODUCT, "project", "artifactid", prj.getArtifactId(), Confidence.HIGHEST);
+                d.addEvidence(EvidenceType.VENDOR, "project", "artifactid", prj.getArtifactId(), Confidence.LOW);
 
-                d.addEvidence(EvidenceType.VENDOR, "project", "groupid", project.getGroupId(), Confidence.HIGHEST);
-                d.addEvidence(EvidenceType.PRODUCT, "project", "groupid", project.getGroupId(), Confidence.LOW);
+                d.addEvidence(EvidenceType.VENDOR, "project", "groupid", prj.getGroupId(), Confidence.HIGHEST);
+                d.addEvidence(EvidenceType.PRODUCT, "project", "groupid", prj.getGroupId(), Confidence.LOW);
                 d.setEcosystem(JarAnalyzer.DEPENDENCY_ECOSYSTEM);
                 //TODO unify the setName/version and package path - they are equivelent ideas submitted by two seperate committers
-                d.setName(String.format("%s:%s", project.getGroupId(), project.getArtifactId()));
-                d.setVersion(project.getVersion());
+                d.setName(String.format("%s:%s", prj.getGroupId(), prj.getArtifactId()));
+                d.setVersion(prj.getVersion());
                 d.setPackagePath(displayName);
-                JarAnalyzer.addDescription(d, project.getDescription(), "project", "description");
-                for (License l : project.getLicenses()) {
+                JarAnalyzer.addDescription(d, prj.getDescription(), "project", "description");
+                for (License l : prj.getLicenses()) {
                     StringBuilder license = new StringBuilder();
                     if (l.getName() != null) {
                         license.append(l.getName());
@@ -953,7 +958,7 @@ private boolean addReactorDependency(Engine engine, Artifact artifact) {
         }
         return false;
     }
-    
+
     /**
      * Determines if the groupId, artifactId, and version of the Maven
      * dependency and artifact match.
@@ -1537,5 +1542,4 @@ protected String getOutputDirectoryContextKey() {
     }
 
     //</editor-fold>
-    
 }

From ccae164b4a4948d912ab386cc719b1dce3eb838d Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Wed, 2 May 2018 06:30:23 -0400
Subject: [PATCH 18/36] added logging

---
 .../owasp/dependencycheck/maven/BaseDependencyCheckMojo.java | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
index 815f145f4d0..68344549b3f 100644
--- a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
+++ b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
@@ -905,6 +905,11 @@ private ExceptionCollection collectDependencies(Engine engine, MavenProject proj
      * <code>false</code>
      */
     private boolean addReactorDependency(Engine engine, Artifact artifact) {
+
+        getLog().debug(String.format("Checking the reactor projects (%d) for %s:%s:%s",
+                reactorProjects.size(),
+                artifact.getGroupId(), artifact.getArtifactId(), artifact.getVersion()));
+
         for (MavenProject prj : reactorProjects) {
 
             getLog().debug(String.format("Comparing %s:%s%s to %s:%s:%s",

From d4b36fadeda7f1c5329a8b61581d67cde6680817 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Wed, 2 May 2018 06:46:50 -0400
Subject: [PATCH 19/36] added logging

---
 .../org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java | 1 +
 1 file changed, 1 insertion(+)

diff --git a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
index 68344549b3f..8b31cfb3d62 100644
--- a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
+++ b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
@@ -805,6 +805,7 @@ private ExceptionCollection collectDependencies(Engine engine, MavenProject proj
                 try {
                     result = artifactResolver.resolveArtifact(buildingRequest, coordinate).getArtifact();
                 } catch (ArtifactResolverException ex) {
+                    getLog().debug(String.format("Aggregate : %s", aggregate));
                     if (!aggregate || addReactorDependency(engine, dependencyNode.getArtifact())) {
                         if (exCol == null) {
                             exCol = new ExceptionCollection();

From c9929d0d3441af4027ca8e36a6914e1098d32ad3 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Wed, 2 May 2018 06:54:04 -0400
Subject: [PATCH 20/36] fixed bug - not calling scan artifacts indicate the
 scan is an aggregate

---
 .../java/org/owasp/dependencycheck/maven/AggregateMojo.java   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java b/maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java
index 35f2f9fe5db..572e4dc0b5a 100644
--- a/maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java
+++ b/maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java
@@ -64,9 +64,9 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
      */
     @Override
     protected ExceptionCollection scanDependencies(final Engine engine) throws MojoExecutionException {
-        ExceptionCollection exCol = scanArtifacts(getProject(), engine);
+        ExceptionCollection exCol = scanArtifacts(getProject(), engine, true);
         for (MavenProject childProject : getDescendants(this.getProject())) {
-            final ExceptionCollection ex = scanArtifacts(childProject, engine);
+            final ExceptionCollection ex = scanArtifacts(childProject, engine, true);
             if (ex != null) {
                 if (exCol == null) {
                     exCol = ex;

From 46cac41304bf15413863e9dbaa43f712dcda4c50 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Wed, 2 May 2018 06:54:18 -0400
Subject: [PATCH 21/36] updated exception handling

---
 .../dependencycheck/maven/BaseDependencyCheckMojo.java      | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
index 8b31cfb3d62..945e0a86c6e 100644
--- a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
+++ b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
@@ -806,12 +806,16 @@ private ExceptionCollection collectDependencies(Engine engine, MavenProject proj
                     result = artifactResolver.resolveArtifact(buildingRequest, coordinate).getArtifact();
                 } catch (ArtifactResolverException ex) {
                     getLog().debug(String.format("Aggregate : %s", aggregate));
+                    boolean addException = true;
                     if (!aggregate || addReactorDependency(engine, dependencyNode.getArtifact())) {
+                        addException = false;
+                    }
+                    if (addException) {
                         if (exCol == null) {
                             exCol = new ExceptionCollection();
                         }
+                        exCol.addException(ex);
                     }
-                    exCol.addException(ex);
                     continue;
                 }
                 isResolved = result.isResolved();

From b4fa608efd611a3c29cb05832953b106f4657f61 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Wed, 2 May 2018 07:12:38 -0400
Subject: [PATCH 22/36] fix npe

---
 .../owasp/dependencycheck/maven/BaseDependencyCheckMojo.java  | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
index 945e0a86c6e..9c64ee4d4ff 100644
--- a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
+++ b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
@@ -947,7 +947,9 @@ private boolean addReactorDependency(Engine engine, Artifact artifact) {
                 d.setName(String.format("%s:%s", prj.getGroupId(), prj.getArtifactId()));
                 d.setVersion(prj.getVersion());
                 d.setPackagePath(displayName);
-                JarAnalyzer.addDescription(d, prj.getDescription(), "project", "description");
+                if (prj.getDescription() != null) {
+                    JarAnalyzer.addDescription(d, prj.getDescription(), "project", "description");
+                }
                 for (License l : prj.getLicenses()) {
                     StringBuilder license = new StringBuilder();
                     if (l.getName() != null) {

From fd072540752527128f1b3b63da148a16feff3db9 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Thu, 3 May 2018 05:59:21 -0400
Subject: [PATCH 23/36] manually apply #1260 as rebase is failing

---
 maven/src/it/740-aggregate/first/pom.xml        | 2 +-
 maven/src/it/740-aggregate/pom.xml              | 2 +-
 maven/src/it/740-aggregate/second/pom.xml       | 2 +-
 maven/src/it/740-aggregate/third/fourth/pom.xml | 2 +-
 maven/src/it/740-aggregate/third/pom.xml        | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/maven/src/it/740-aggregate/first/pom.xml b/maven/src/it/740-aggregate/first/pom.xml
index 37e6e8b18ee..5361ae245ea 100644
--- a/maven/src/it/740-aggregate/first/pom.xml
+++ b/maven/src/it/740-aggregate/first/pom.xml
@@ -19,7 +19,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
     <modelVersion>4.0.0</modelVersion>
     <parent>
-        <groupId>org.owasp.test</groupId>
+        <groupId>org.owasp.test.aggregate</groupId>
         <artifactId>aggregate-parent</artifactId>
         <version>1.0.0-SNAPSHOT</version>
     </parent>
diff --git a/maven/src/it/740-aggregate/pom.xml b/maven/src/it/740-aggregate/pom.xml
index 98ae44a22ca..7c8e905146c 100644
--- a/maven/src/it/740-aggregate/pom.xml
+++ b/maven/src/it/740-aggregate/pom.xml
@@ -18,7 +18,7 @@ Copyright (c) 2018 Jeremy Long. All Rights Reserved.
 -->
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
     <modelVersion>4.0.0</modelVersion>
-    <groupId>org.owasp.test</groupId>
+    <groupId>org.owasp.test.aggregate</groupId>
     <artifactId>aggregate-parent</artifactId>
     <version>1.0.0-SNAPSHOT</version>
     <packaging>pom</packaging>
diff --git a/maven/src/it/740-aggregate/second/pom.xml b/maven/src/it/740-aggregate/second/pom.xml
index e24fead1e38..1682b6bac38 100644
--- a/maven/src/it/740-aggregate/second/pom.xml
+++ b/maven/src/it/740-aggregate/second/pom.xml
@@ -19,7 +19,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
     <modelVersion>4.0.0</modelVersion>
     <parent>
-        <groupId>org.owasp.test</groupId>
+        <groupId>org.owasp.test.aggregate</groupId>
         <artifactId>aggregate-parent</artifactId>
         <version>1.0.0-SNAPSHOT</version>
     </parent>
diff --git a/maven/src/it/740-aggregate/third/fourth/pom.xml b/maven/src/it/740-aggregate/third/fourth/pom.xml
index 43581af39fb..4e138994df9 100644
--- a/maven/src/it/740-aggregate/third/fourth/pom.xml
+++ b/maven/src/it/740-aggregate/third/fourth/pom.xml
@@ -19,7 +19,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
     <modelVersion>4.0.0</modelVersion>
     <parent>
-        <groupId>org.owasp.test</groupId>
+        <groupId>org.owasp.test.aggregate</groupId>
         <artifactId>third</artifactId>
         <version>1.0.0-SNAPSHOT</version>
     </parent>
diff --git a/maven/src/it/740-aggregate/third/pom.xml b/maven/src/it/740-aggregate/third/pom.xml
index 3bfa07e7337..19cc22a5d1e 100644
--- a/maven/src/it/740-aggregate/third/pom.xml
+++ b/maven/src/it/740-aggregate/third/pom.xml
@@ -19,7 +19,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
     <modelVersion>4.0.0</modelVersion>
     <parent>
-        <groupId>org.owasp.test</groupId>
+        <groupId>org.owasp.test.aggregate</groupId>
         <artifactId>aggregate-parent</artifactId>
         <version>1.0.0-SNAPSHOT</version>
     </parent>

From df9a3c9819d1bee5bb366c7ec7ac2eab203555e6 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Thu, 3 May 2018 06:34:52 -0400
Subject: [PATCH 24/36] fix postbuild validation of test

---
 maven/src/it/740-aggregate/pom.xml          |  1 +
 maven/src/it/740-aggregate/postbuild.groovy | 15 ++++++++++-----
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/maven/src/it/740-aggregate/pom.xml b/maven/src/it/740-aggregate/pom.xml
index 7c8e905146c..39770600d1f 100644
--- a/maven/src/it/740-aggregate/pom.xml
+++ b/maven/src/it/740-aggregate/pom.xml
@@ -35,6 +35,7 @@ Copyright (c) 2018 Jeremy Long. All Rights Reserved.
                 <version>${odc.version}</version>
                 <inherited>false</inherited>
                 <configuration>
+                    <format>XML</format>
                     <centralAnalyzerEnabled>false</centralAnalyzerEnabled>
                 </configuration>
                 <executions>
diff --git a/maven/src/it/740-aggregate/postbuild.groovy b/maven/src/it/740-aggregate/postbuild.groovy
index 8c1b639faac..e4219da8035 100644
--- a/maven/src/it/740-aggregate/postbuild.groovy
+++ b/maven/src/it/740-aggregate/postbuild.groovy
@@ -19,11 +19,16 @@
 import java.nio.charset.Charset;
 import org.apache.commons.io.FileUtils;
 import org.apache.commons.lang.StringUtils;
- 
-String log = FileUtils.readFileToString(new File(basedir, "build.log"), Charset.defaultCharset().name());
-int count = StringUtils.countMatches(log, "Download Started for NVD CVE - 2002");
-if (count > 1){
-    System.out.println(String.format("NVD CVE was downloaded %s times, should be 0 or 1 times", count));
+
+String log = FileUtils.readFileToString(new File(basedir, "target/dependency-check-report.xml"), Charset.defaultCharset().name());
+int count = StringUtils.countMatches(log, "fourth-1.0.0-SNAPSHOT");
+if (count == 0) {
+    System.out.println(String.format("fourth-1.0.0-SNAPSHOT was not identified"));
+    return false;
+}
+count = StringUtils.countMatches(log, "org.apache.james:apache-mime4j-core:0.7.2");
+if (count == 0) {
+    System.out.println(String.format("org.apache.james:apache-mime4j-core:0.7.2 was not identified and is a dependency of fourth-1.0.0-SNAPSHOT"));
     return false;
 }
 return true;
\ No newline at end of file

From 7707c3063c7ce7836cdba524e1b54b10b0c78db6 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Thu, 3 May 2018 06:50:59 -0400
Subject: [PATCH 25/36] fix test case

---
 maven/src/it/740-aggregate/second/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/maven/src/it/740-aggregate/second/pom.xml b/maven/src/it/740-aggregate/second/pom.xml
index 1682b6bac38..c9b9caf5e05 100644
--- a/maven/src/it/740-aggregate/second/pom.xml
+++ b/maven/src/it/740-aggregate/second/pom.xml
@@ -27,7 +27,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
     <packaging>jar</packaging>
     <dependencies>
         <dependency>
-            <groupId>org.owasp.test</groupId>
+            <groupId>org.owasp.test.aggregate</groupId>
             <artifactId>fourth</artifactId>
             <version>1.0.0-SNAPSHOT</version>
         </dependency>

From d013ff67ea740ee6351da501b55f38cc1a224414 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Thu, 3 May 2018 07:10:11 -0400
Subject: [PATCH 26/36] updated logging to debug test in CI

---
 maven/src/it/740-aggregate/postbuild.groovy | 1 +
 1 file changed, 1 insertion(+)

diff --git a/maven/src/it/740-aggregate/postbuild.groovy b/maven/src/it/740-aggregate/postbuild.groovy
index e4219da8035..ef94475d390 100644
--- a/maven/src/it/740-aggregate/postbuild.groovy
+++ b/maven/src/it/740-aggregate/postbuild.groovy
@@ -24,6 +24,7 @@ String log = FileUtils.readFileToString(new File(basedir, "target/dependency-che
 int count = StringUtils.countMatches(log, "fourth-1.0.0-SNAPSHOT");
 if (count == 0) {
     System.out.println(String.format("fourth-1.0.0-SNAPSHOT was not identified"));
+    System.out.println(log);
     return false;
 }
 count = StringUtils.countMatches(log, "org.apache.james:apache-mime4j-core:0.7.2");

From f5fe4d218fc6ea598b05ff508c36a75c614a6ec2 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Thu, 3 May 2018 15:01:29 -0400
Subject: [PATCH 27/36] replace xml encoding that was accidentally remoed

---
 core/src/main/resources/templates/xmlReport.vsl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/src/main/resources/templates/xmlReport.vsl b/core/src/main/resources/templates/xmlReport.vsl
index cf560147f87..85c85fabd5b 100644
--- a/core/src/main/resources/templates/xmlReport.vsl
+++ b/core/src/main/resources/templates/xmlReport.vsl
@@ -117,7 +117,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
             <identifiers>
 #foreach($id in $dependency.getIdentifiers())
                 <identifier type="$enc.xml($id.type)" #if($id.confidence)confidence="$id.confidence"#end>
-                    <name>($id.value)</name>
+                    <name>$enc.xml($id.value)</name>
 #if( $id.url )
                     <url>$enc.xml($id.url)</url>
 #end

From a4720a158a860039e13324d56fb64e27fbb247d7 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Thu, 3 May 2018 15:01:54 -0400
Subject: [PATCH 28/36] more debug code

---
 .../owasp/dependencycheck/maven/BaseDependencyCheckMojo.java  | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
index 9c64ee4d4ff..542afb1ab0f 100644
--- a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
+++ b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
@@ -917,7 +917,7 @@ private boolean addReactorDependency(Engine engine, Artifact artifact) {
 
         for (MavenProject prj : reactorProjects) {
 
-            getLog().debug(String.format("Comparing %s:%s%s to %s:%s:%s",
+            getLog().debug(String.format("Comparing %s:%s:%s to %s:%s:%s",
                     artifact.getGroupId(), artifact.getArtifactId(), artifact.getVersion(),
                     prj.getGroupId(), prj.getArtifactId(), prj.getVersion()));
 
@@ -964,7 +964,9 @@ private boolean addReactorDependency(Engine engine, Artifact artifact) {
                         d.setLicense(String.format("%s%n%s", d.getLicense(), license.toString()));
                     }
                 }
+                System.out.println(String.format("Dependency Count Before: %d", engine.getDependencies().length));
                 engine.addDependency(d);
+                System.out.println(String.format("Dependency Count after: %d", engine.getDependencies().length));
                 return true;
             }
         }

From b3154b93207dfce545a45d19c5a7fad6e6f4f404 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Thu, 3 May 2018 16:02:51 -0400
Subject: [PATCH 29/36] removed system.out statements

---
 .../owasp/dependencycheck/maven/BaseDependencyCheckMojo.java   | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
index 542afb1ab0f..174c6d0cbc4 100644
--- a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
+++ b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
@@ -931,6 +931,7 @@ private boolean addReactorDependency(Engine engine, Artifact artifact) {
                 File pom = new File(prj.getBasedir(), "pom.xml");
                 Dependency d;
                 if (pom.isFile()) {
+                    getLog().debug("Adding virtual dependency from pom.xml");
                     d = new Dependency(pom, true);
                 } else {
                     d = new Dependency(true);
@@ -964,9 +965,7 @@ private boolean addReactorDependency(Engine engine, Artifact artifact) {
                         d.setLicense(String.format("%s%n%s", d.getLicense(), license.toString()));
                     }
                 }
-                System.out.println(String.format("Dependency Count Before: %d", engine.getDependencies().length));
                 engine.addDependency(d);
-                System.out.println(String.format("Dependency Count after: %d", engine.getDependencies().length));
                 return true;
             }
         }

From 55c022f220ff6a23881b032349b57c6e34135a71 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 5 May 2018 07:59:02 -0400
Subject: [PATCH 30/36] fix virtual dependencies and checksums

---
 core/src/main/resources/templates/htmlReport.vsl | 8 ++++----
 core/src/main/resources/templates/jsonReport.vsl | 4 ++--
 core/src/main/resources/templates/xmlReport.vsl  | 4 ++--
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/core/src/main/resources/templates/htmlReport.vsl b/core/src/main/resources/templates/htmlReport.vsl
index 1766fc12418..e680654b423 100644
--- a/core/src/main/resources/templates/htmlReport.vsl
+++ b/core/src/main/resources/templates/htmlReport.vsl
@@ -731,8 +731,8 @@ Getting Help: <a href="https://groups.google.com/forum/#!forum/dependency-check"
                             #end
                         #end
                             <b>File&nbsp;Path:</b>&nbsp;$enc.html($dependency.FilePath)<br/>
-                            <b>MD5:</b>&nbsp;$enc.html($dependency.Md5sum)<br/>
-                            <b>SHA1:</b>&nbsp;$enc.html($dependency.Sha1sum)
+                            <b>MD5:</b>&nbsp;#if($dependency.Md5sum)$enc.html($dependency.Md5sum)#end<br/>
+                            <b>SHA1:</b>&nbsp;#if($dependency.Sha1sum)$enc.html($dependency.Sha1sum)#end
                             #if ($dependency.projectReferences.size()==1)
                                 <br/><b>Referenced In Project/Scope:</b>
                                 #foreach($ref in $dependency.projectReferences)
@@ -940,8 +940,8 @@ Getting Help: <a href="https://groups.google.com/forum/#!forum/dependency-check"
                                     #end
                                 #end
                                     <b>File&nbsp;Path:</b>&nbsp;$enc.html($dependency.FilePath)<br/>
-                                    <b>MD5:</b>&nbsp;$enc.html($dependency.Md5sum)<br/>
-                                    <b>SHA1:</b>&nbsp;$enc.html($dependency.Sha1sum)
+                                    <b>MD5:</b>&nbsp;#if($dependency.Md5sum)$enc.html($dependency.Md5sum)#end<br/>
+                                    <b>SHA1:</b>&nbsp;#if($dependency.Sha1sum)$enc.html($dependency.Sha1sum)#end
                                 </p>
                                 #set($cnt=$cnt+1)
                                 <h4 id="header$cnt" class="subsectionheader expandable expandablesubsection white">Evidence</h4>
diff --git a/core/src/main/resources/templates/jsonReport.vsl b/core/src/main/resources/templates/jsonReport.vsl
index d6425a7b9f8..62fefedf6d5 100644
--- a/core/src/main/resources/templates/jsonReport.vsl
+++ b/core/src/main/resources/templates/jsonReport.vsl
@@ -27,8 +27,8 @@
             "isVirtual": #if($dependency.isVirtual)true#{else}false#end,
             "fileName": "$enc.json($dependency.DisplayFileName)",
             "filePath": "$enc.json($dependency.FilePath)",
-            "md5": "$enc.json($dependency.Md5sum)",
-            "sha1": "$enc.json($dependency.Sha1sum)"
+            "md5": "#if($dependency.Md5sum)$enc.json($dependency.Md5sum)#end",
+            "sha1": "#if($dependency.Sha1sum)$enc.json($dependency.Sha1sum)#end"
             #if($dependency.description),"description": "$enc.json($dependency.description)"#end
             #if($dependency.license),"license": "$enc.json($dependency.license)"#end
             #if ($dependency.projectReferences.size()>0)
diff --git a/core/src/main/resources/templates/xmlReport.vsl b/core/src/main/resources/templates/xmlReport.vsl
index 85c85fabd5b..ca69daa6056 100644
--- a/core/src/main/resources/templates/xmlReport.vsl
+++ b/core/src/main/resources/templates/xmlReport.vsl
@@ -48,8 +48,8 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
         <dependency isVirtual="#if($dependency.isVirtual)true#{else}false#end">
             <fileName>$enc.xml($dependency.DisplayFileName)</fileName>
             <filePath>$enc.xml($dependency.FilePath)</filePath>
-            <md5>$enc.xml($dependency.Md5sum)</md5>
-            <sha1>$enc.xml($dependency.Sha1sum)</sha1>
+            <md5>#if($dependency.Md5sum)$enc.xml($dependency.Md5sum)#end</md5>
+            <sha1>#if($dependency.Sha1sum)$enc.xml($dependency.Sha1sum)#end</sha1>
 #if ($dependency.description)
             <description>$enc.xml($dependency.description)</description>
 #end

From efd74a8aa2546de2326649f3df22963bbcb127d4 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 5 May 2018 08:00:01 -0400
Subject: [PATCH 31/36] additional checks to ensure correct dependency merging

---
 .../dependencycheck/analyzer/DependencyBundlingAnalyzer.java  | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java
index bc741deaee9..f2dd57f1d48 100644
--- a/core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java
+++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java
@@ -405,7 +405,9 @@ private boolean hashesMatch(Dependency dependency1, Dependency dependency2) {
      */
     private boolean isShadedJar(Dependency dependency, Dependency nextDependency) {
         if (dependency == null || dependency.getFileName() == null
-                || nextDependency == null || nextDependency.getFileName() == null) {
+                || nextDependency == null || nextDependency.getFileName() == null
+                || dependency.getIdentifiers().isEmpty() 
+                || nextDependency.getIdentifiers().isEmpty()) {
             return false;
         }
         final String mainName = dependency.getFileName().toLowerCase();

From db6e0967e47b306ea976796eefebc891180b81a4 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 5 May 2018 08:00:37 -0400
Subject: [PATCH 32/36] fix postbuild checks

---
 maven/src/it/740-aggregate/postbuild.groovy | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/maven/src/it/740-aggregate/postbuild.groovy b/maven/src/it/740-aggregate/postbuild.groovy
index ef94475d390..cc08e782177 100644
--- a/maven/src/it/740-aggregate/postbuild.groovy
+++ b/maven/src/it/740-aggregate/postbuild.groovy
@@ -20,14 +20,15 @@ import java.nio.charset.Charset;
 import org.apache.commons.io.FileUtils;
 import org.apache.commons.lang.StringUtils;
 
-String log = FileUtils.readFileToString(new File(basedir, "target/dependency-check-report.xml"), Charset.defaultCharset().name());
-int count = StringUtils.countMatches(log, "fourth-1.0.0-SNAPSHOT");
+String report = FileUtils.readFileToString(new File(basedir, "target/dependency-check-report.xml"), Charset.defaultCharset().name());
+int count = StringUtils.countMatches(report, "org.owasp.test.aggregate:fourth:1.0.0-SNAPSHOT");
 if (count == 0) {
     System.out.println(String.format("fourth-1.0.0-SNAPSHOT was not identified"));
-    System.out.println(log);
+    System.out.println(report
+);
     return false;
 }
-count = StringUtils.countMatches(log, "org.apache.james:apache-mime4j-core:0.7.2");
+count = StringUtils.countMatches(report, "org.apache.james:apache-mime4j-core:0.7.2");
 if (count == 0) {
     System.out.println(String.format("org.apache.james:apache-mime4j-core:0.7.2 was not identified and is a dependency of fourth-1.0.0-SNAPSHOT"));
     return false;

From 949efa2d0612f50a2a53eca4854b2d431785ae1f Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 5 May 2018 08:00:57 -0400
Subject: [PATCH 33/36] added identifier to virtual dependency

---
 .../owasp/dependencycheck/maven/BaseDependencyCheckMojo.java | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
index 174c6d0cbc4..84d53b6dafe 100644
--- a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
+++ b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
@@ -944,6 +944,11 @@ private boolean addReactorDependency(Engine engine, Artifact artifact) {
                 d.addEvidence(EvidenceType.VENDOR, "project", "groupid", prj.getGroupId(), Confidence.HIGHEST);
                 d.addEvidence(EvidenceType.PRODUCT, "project", "groupid", prj.getGroupId(), Confidence.LOW);
                 d.setEcosystem(JarAnalyzer.DEPENDENCY_ECOSYSTEM);
+                Identifier id = new Identifier();
+                id.setType("maven");
+                id.setConfidence(Confidence.HIGHEST);
+                id.setValue(displayName);
+                d.addIdentifier(id);
                 //TODO unify the setName/version and package path - they are equivelent ideas submitted by two seperate committers
                 d.setName(String.format("%s:%s", prj.getGroupId(), prj.getArtifactId()));
                 d.setVersion(prj.getVersion());

From 9d5dceb84ccfe33cd9ed15fbbdb8c2ad38e4b634 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 5 May 2018 12:44:49 -0400
Subject: [PATCH 34/36] remove test code

---
 maven/src/it/740-aggregate/postbuild.groovy | 1 -
 1 file changed, 1 deletion(-)

diff --git a/maven/src/it/740-aggregate/postbuild.groovy b/maven/src/it/740-aggregate/postbuild.groovy
index cc08e782177..6c230aadbf0 100644
--- a/maven/src/it/740-aggregate/postbuild.groovy
+++ b/maven/src/it/740-aggregate/postbuild.groovy
@@ -24,7 +24,6 @@ String report = FileUtils.readFileToString(new File(basedir, "target/dependency-
 int count = StringUtils.countMatches(report, "org.owasp.test.aggregate:fourth:1.0.0-SNAPSHOT");
 if (count == 0) {
     System.out.println(String.format("fourth-1.0.0-SNAPSHOT was not identified"));
-    System.out.println(report
 );
     return false;
 }

From 5e93043b9371e33763c828392956833ff3b3c4db Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sun, 6 May 2018 06:56:04 -0400
Subject: [PATCH 35/36] added test case

---
 .../analyzer/DependencyBundlingAnalyzer.java  |  2 +-
 .../DependencyBundlingAnalyzerTest.java       | 83 +++++++++++++++++--
 2 files changed, 78 insertions(+), 7 deletions(-)

diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java
index f2dd57f1d48..023ca82a59d 100644
--- a/core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java
+++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java
@@ -403,7 +403,7 @@ private boolean hashesMatch(Dependency dependency1, Dependency dependency2) {
      * @return true if on of the dependencies is a pom.xml and the identifiers
      * between the two collections match; otherwise false
      */
-    private boolean isShadedJar(Dependency dependency, Dependency nextDependency) {
+    protected boolean isShadedJar(Dependency dependency, Dependency nextDependency) {
         if (dependency == null || dependency.getFileName() == null
                 || nextDependency == null || nextDependency.getFileName() == null
                 || dependency.getIdentifiers().isEmpty() 
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzerTest.java
index ee6c5ddfef9..350e187b274 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzerTest.java
@@ -17,6 +17,7 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
+import java.io.File;
 import mockit.Mocked;
 import mockit.Verifications;
 import org.junit.Test;
@@ -59,8 +60,8 @@ public void testGetAnalysisPhase() {
     }
 
     /**
-     * Test of analyze method, of class DependencyBundlingAnalyzer.
-     * The actually passed dependency does not matter. The analyzer only runs once.
+     * Test of analyze method, of class DependencyBundlingAnalyzer. The actually
+     * passed dependency does not matter. The analyzer only runs once.
      */
     @Test
     public void testAnalyze() throws Exception {
@@ -77,10 +78,12 @@ public void testAnalyze() throws Exception {
         instance.analyze(null, engineMock);
         assertTrue(instance.getAnalyzed());
 
-        new Verifications() {{
-            engineMock.getDependencies();
-            times = 1;
-        }};
+        new Verifications() {
+            {
+                engineMock.getDependencies();
+                times = 1;
+            }
+        };
     }
 
     /**
@@ -140,4 +143,72 @@ public void testFirstPathIsShortest() {
         result = instance.firstPathIsShortest(left, right);
         assertEquals(expResult, result);
     }
+
+    @Test
+    public void testIsShaded() {
+        DependencyBundlingAnalyzer instance = new DependencyBundlingAnalyzer();
+
+        Dependency left = null;
+        Dependency right = null;
+
+        boolean expResult = false;
+        boolean result = instance.isShadedJar(left, right);
+        assertEquals(expResult, result);
+
+        left = new Dependency();
+        expResult = false;
+        result = instance.isShadedJar(left, right);
+        assertEquals(expResult, result);
+
+        left = new Dependency(new File("/path/jar.jar"), true);
+        expResult = false;
+        result = instance.isShadedJar(left, right);
+        assertEquals(expResult, result);
+
+        right = new Dependency();
+        expResult = false;
+        result = instance.isShadedJar(left, right);
+        assertEquals(expResult, result);
+
+        right = new Dependency(new File("/path/pom.xml"), true);
+        expResult = false;
+        result = instance.isShadedJar(left, right);
+        assertEquals(expResult, result);
+
+        left.addIdentifier("test", "test", "http://example.com/test");
+        expResult = false;
+        result = instance.isShadedJar(left, right);
+        assertEquals(expResult, result);
+
+        right.addIdentifier("next", "next", "http://example.com/next");
+        expResult = false;
+        result = instance.isShadedJar(left, right);
+        assertEquals(expResult, result);
+
+        left.addIdentifier("next", "next", "http://example.com/next");
+        expResult = true;
+        result = instance.isShadedJar(left, right);
+        assertEquals(expResult, result);
+
+        left = new Dependency(new File("/path/pom.xml"), true);
+        left.addIdentifier("test", "test", "http://example.com/test");
+        right = new Dependency(new File("/path/jar.jar"), true);
+        right.addIdentifier("next", "next", "http://example.com/next");
+        expResult = false;
+        result = instance.isShadedJar(left, right);
+        assertEquals(expResult, result);
+        
+        right.addIdentifier("test", "test", "http://example.com/test");
+        expResult = true;
+        result = instance.isShadedJar(left, right);
+        assertEquals(expResult, result);
+        
+        left = new Dependency(new File("/path/other.jar"), true);
+        left.addIdentifier("test", "test", "http://example.com/test");
+        right = new Dependency(new File("/path/jar.jar"), true);
+        right.addIdentifier("next", "next", "http://example.com/next");
+        expResult = false;
+        result = instance.isShadedJar(left, right);
+        assertEquals(expResult, result);
+    }
 }

From 6f62902e4b74165880e1a8445995e2e986a72d15 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sun, 6 May 2018 07:46:14 -0400
Subject: [PATCH 36/36] fix typo

---
 maven/src/it/740-aggregate/postbuild.groovy | 1 -
 1 file changed, 1 deletion(-)

diff --git a/maven/src/it/740-aggregate/postbuild.groovy b/maven/src/it/740-aggregate/postbuild.groovy
index 6c230aadbf0..eb55854522d 100644
--- a/maven/src/it/740-aggregate/postbuild.groovy
+++ b/maven/src/it/740-aggregate/postbuild.groovy
@@ -24,7 +24,6 @@ String report = FileUtils.readFileToString(new File(basedir, "target/dependency-
 int count = StringUtils.countMatches(report, "org.owasp.test.aggregate:fourth:1.0.0-SNAPSHOT");
 if (count == 0) {
     System.out.println(String.format("fourth-1.0.0-SNAPSHOT was not identified"));
-);
     return false;
 }
 count = StringUtils.countMatches(report, "org.apache.james:apache-mime4j-core:0.7.2");