patch and test for #1421

jeremylong · jeremylong · commit 9e6c9f6c9aa8 · 2018-08-05T08:18:30.000-04:00
diff --git a/maven/src/it/740-aggregate/pom.xml b/maven/src/it/740-aggregate/pom.xml
@@ -25,7 +25,7 @@ Copyright (c) 2018 Jeremy Long. All Rights Reserved.
     <modules>
         <module>first</module>
         <module>second</module>
-		<module>third</module>
+        <module>third</module>
     </modules>
     <build>
         <plugins>
@@ -37,6 +37,12 @@ Copyright (c) 2018 Jeremy Long. All Rights Reserved.
                 <configuration>
                     <format>ALL</format>
                     <centralAnalyzerEnabled>false</centralAnalyzerEnabled>
+                    <enableExperimental>true</enableExperimental>
+                    <scanSet>
+                        <fileSet>
+                            <directory>src/test</directory>
+                        </fileSet>
+                    </scanSet>
                 </configuration>
                 <executions>
                     <execution>
diff --git a/maven/src/it/740-aggregate/postbuild.groovy b/maven/src/it/740-aggregate/postbuild.groovy
@@ -28,7 +28,13 @@ if (count == 0) {
 }
 count = StringUtils.countMatches(report, "org.apache.james:apache-mime4j-core:0.7.2");
 if (count == 0) {
-    System.out.println(String.format("org.apache.james:apache-mime4j-core:0.7.2 was not identified and is a dependency of fourth-1.0.0-SNAPSHOT"));
+    System.out.println("org.apache.james:apache-mime4j-core:0.7.2 was not identified and is a dependency of fourth-1.0.0-SNAPSHOT");
     return false;
 }
+count = StringUtils.countMatches(report, "HelloWorld.js");
+if (count == 0) {
+    System.out.println("HelloWorld.js was not included via ScanSet and is found in `second/srt/test`");
+    return false;
+}
+
 return true;
diff --git a/maven/src/it/740-aggregate/second/src/test/HelloWorld.js b/maven/src/it/740-aggregate/second/src/test/HelloWorld.js
@@ -0,0 +1,4 @@
+/*
+Copyright (c) 2018 The OWAS Foundation. All Rights Reserved.
+*/
+alert('hello world');
diff --git a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
@@ -874,15 +874,15 @@ protected ExceptionCollection scanArtifacts(MavenProject project, Engine engine,
      * @return a collection of exceptions that may have occurred while resolving
      * and scanning the dependencies
      */
-    private ExceptionCollection collectDependencies(Engine engine, MavenProject project,
+    private ExceptionCollection collectMavenDependencies(Engine engine, MavenProject project,
             List<DependencyNode> nodes, ProjectBuildingRequest buildingRequest, boolean aggregate) {
         ExceptionCollection exCol = null;
         for (DependencyNode dependencyNode : nodes) {
             if (artifactScopeExcluded.passes(dependencyNode.getArtifact().getScope())
                     || artifactTypeExcluded.passes(dependencyNode.getArtifact().getType())) {
                 continue;
             }
-            exCol = collectDependencies(engine, project, dependencyNode.getChildren(), buildingRequest, aggregate);
+            exCol = collectMavenDependencies(engine, project, dependencyNode.getChildren(), buildingRequest, aggregate);
             boolean isResolved = false;
             File artifactFile = null;
             String artifactId = null;
@@ -985,6 +985,28 @@ private ExceptionCollection collectDependencies(Engine engine, MavenProject proj
                 }
             }
         }
+        return exCol;
+    }
+
+    /**
+     * Scans the projects dependencies including the default (or defined)
+     * FileSets.
+     *
+     * @param engine the core dependency-check engine
+     * @param project the project being scanned
+     * @param nodes the list of dependency nodes, generally obtained via the
+     * DependencyGraphBuilder
+     * @param buildingRequest the Maven project building request
+     * @param aggregate whether the scan is part of an aggregate build
+     * @return a collection of exceptions that may have occurred while resolving
+     * and scanning the dependencies
+     */
+    private ExceptionCollection collectDependencies(Engine engine, MavenProject project,
+            List<DependencyNode> nodes, ProjectBuildingRequest buildingRequest, boolean aggregate) {
+
+        ExceptionCollection exCol = null;
+        exCol = collectMavenDependencies(engine, project, nodes, buildingRequest, aggregate);
+
         FileSet[] projectScan = scanSet;
         if (scanSet == null || scanSet.length == 0) {
             // Define the default FileSets
@@ -1005,6 +1027,38 @@ private ExceptionCollection collectDependencies(Engine engine, MavenProject proj
 
         } else if (aggregate) {
             //TODO build the correct scan set for the child project?
+            projectScan = new FileSet[scanSet.length];
+            for (int x = 0; x < scanSet.length; x++) {
+                //deep copy of the FileSet - modifying the directory if it is not absolute.
+                FileSet copyFrom = scanSet[x];
+                FileSet fsCopy = new FileSet();
+
+                File f = new File(copyFrom.getDirectory());
+                if (f.isAbsolute()) {
+                    fsCopy.setDirectory(copyFrom.getDirectory());
+                } else {
+                    try {
+                        fsCopy.setDirectory(new File(project.getBasedir(), copyFrom.getDirectory()).getCanonicalPath());
+                    } catch (IOException ex) {
+                        if (exCol == null) {
+                            exCol = new ExceptionCollection();
+                        }
+                        exCol.addException(ex);
+                        fsCopy.setDirectory(copyFrom.getDirectory());
+                    }
+                }
+                fsCopy.setDirectoryMode(copyFrom.getDirectoryMode());
+                fsCopy.setExcludes(copyFrom.getExcludes());
+                fsCopy.setFileMode(copyFrom.getFileMode());
+                fsCopy.setFollowSymlinks(copyFrom.isFollowSymlinks());
+                fsCopy.setIncludes(copyFrom.getIncludes());
+                fsCopy.setLineEnding(copyFrom.getLineEnding());
+                fsCopy.setMapper(copyFrom.getMapper());
+                fsCopy.setModelEncoding(copyFrom.getModelEncoding());
+                fsCopy.setOutputDirectory(copyFrom.getOutputDirectory());
+                fsCopy.setUseDefaultExcludes(copyFrom.isUseDefaultExcludes());
+                projectScan[x] = fsCopy;
+            }
         }
 
         // Iterate through FileSets and scan included files
