jfrog/jfrog-vscode-extension

Some Maven dependencies are absent

joeynaor opened this issue · 1 comments

joeynaor commented

Describe the bug
When scanning the exact same Maven project, different results/vulnerabilities are shown in the JFrog-supported IDEs. It appears that Eclipse has the most accurate data and number of dependencies, and that VSCode (and IntelliJ) provide different results, likely due to certain dependencies not showing up.

To Reproduce
Add these dependencies to a Maven project and scan it using IntelliJ, Eclipse & VSCode.

Expected behavior
VSCode should scan and find the exact same dependencies and vulnerabilities as other IDEs.

Screenshots
comparison

Versions

  • JFrog VS-Code extension version: 1.6.0
  • JFrog VS-Code extension operating system: Windows Server 2019
  • JFrog Xray Version: 3.x
yahavi commented

@joeynaor,
See explanation here about the differences between JFrog Eclipse and IntelliJ plugins.
Behind the scenes, In the VS-Code extension we run mvn dependency:tree. The dependency is a built-in plugin in Maven. We use this plugin to extract the Maven dependencies and therefore we are limited by its results, although I think the results are sufficient.
For example, I ran mvn dependency:tree on the attached list of dependencies and I got a similar list as we show in the VS-Code extension:

[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ dep-check ---
[INFO] org.jfrog.test:dep-check:pom:3.7-SNAPSHOT
[INFO] +- org.apache.maven:maven-project:jar:3.0-alpha-2:compile
[INFO] |  +- org.codehaus.plexus:plexus-utils:jar:1.5.6:compile
[INFO] |  +- org.codehaus.plexus:plexus-interpolation:jar:1.1:compile
[INFO] |  +- org.codehaus.plexus:plexus-container-default:jar:1.0-beta-3.0.5:compile
[INFO] |  |  +- org.apache.xbean:xbean-reflect:jar:3.4:compile
[INFO] |  |  |  \- commons-logging:commons-logging-api:jar:1.1:compile
[INFO] |  |  \- com.google.code.google-collections:google-collect:jar:snapshot-20080530:compile
[INFO] |  +- org.codehaus.woodstox:wstx-asl:jar:3.2.6:compile
[INFO] |  |  \- stax:stax-api:jar:1.0.1:compile
[INFO] |  +- org.sonatype.spice:model-builder:jar:1.3:compile
[INFO] |  \- org.apache.maven:maven-project-builder:jar:3.0-alpha-2:compile
[INFO] +- org.apache.maven:maven-compat:jar:3.0.5:compile
[INFO] |  +- org.apache.maven:maven-model-builder:jar:3.0.5:compile
[INFO] |  +- org.sonatype.sisu:sisu-inject-plexus:jar:2.3.0:compile
[INFO] |  |  \- org.sonatype.sisu:sisu-inject-bean:jar:2.3.0:compile
[INFO] |  |     \- org.sonatype.sisu:sisu-guice:jar:no_aop:3.1.0:compile
[INFO] |  |        \- org.sonatype.sisu:sisu-guava:jar:0.9.9:compile
[INFO] |  +- org.codehaus.plexus:plexus-component-annotations:jar:1.5.5:compile
[INFO] |  \- org.apache.maven.wagon:wagon-provider-api:jar:2.4:compile
[INFO] +- org.apache.maven:maven-artifact:jar:3.0.5:compile
[INFO] +- org.apache.maven:maven-model:jar:3.0.5:compile
[INFO] +- org.apache.maven:maven-settings:jar:3.0.5:compile
[INFO] +- org.apache.maven:maven-core:jar:3.0.5:compile
[INFO] |  +- org.apache.maven:maven-settings-builder:jar:3.0.5:compile
[INFO] |  +- org.apache.maven:maven-repository-metadata:jar:3.0.5:compile
[INFO] |  +- org.apache.maven:maven-aether-provider:jar:3.0.5:compile
[INFO] |  |  \- org.sonatype.aether:aether-spi:jar:1.13.1:compile
[INFO] |  +- org.sonatype.aether:aether-impl:jar:1.13.1:compile
[INFO] |  +- org.sonatype.aether:aether-api:jar:1.13.1:compile
[INFO] |  +- org.sonatype.aether:aether-util:jar:1.13.1:compile
[INFO] |  +- org.codehaus.plexus:plexus-classworlds:jar:2.4:compile
[INFO] |  \- org.sonatype.plexus:plexus-sec-dispatcher:jar:1.3:compile
[INFO] |     \- org.sonatype.plexus:plexus-cipher:jar:1.4:compile
[INFO] +- org.apache.maven:maven-plugin-api:jar:3.0.5:compile
[INFO] +- junit:junit:jar:4.12:compile
[INFO] |  \- org.hamcrest:hamcrest-core:jar:1.3:compile
[INFO] +- commons-io:commons-io:jar:1.4:compile
[INFO] +- bsf:bsf:jar:2.4.0:compile
[INFO] |  \- commons-logging:commons-logging:jar:1.0.4:compile
[INFO] +- javax.xml.bind:jaxb-api:jar:2.2.1:compile
[INFO] |  +- javax.xml.stream:stax-api:jar:1.0-2:compile
[INFO] |  \- javax.activation:activation:jar:1.1:compile
[INFO] +- org.codehaus.castor:castor-xml:jar:1.3.1:compile
[INFO] |  \- org.codehaus.castor:castor-core:jar:1.3.1:compile
[INFO] +- javax.transaction:jta:jar:1.0.1B:compile
[INFO] +- commons-lang:commons-lang:jar:2.1:compile
[INFO] +- log4j:log4j:jar:1.2.12:compile
[INFO] +- org.apache.httpcomponents:httpcore:jar:4.2.3:compile
[INFO] +- org.apache.httpcomponents:httpclient:jar:4.2.3:compile
[INFO] |  \- commons-codec:commons-codec:jar:1.6:compile
[INFO] +- org.twdata.maven:mojo-executor:jar:2.1.0:compile
[INFO] \- org.json:json:jar:20190722:compile

Same as the difference between the Intellij and Eclipse, VS-Code extension does not show transitive optional dependencies. This is not an issue, since the Maven resolver does not download transitive optional dependencies unless explicitly specified as direct dependencies.