Replace Gemnasium Maven plugin with mvn dependency:tree

Summary

When scanning Java Maven project, list the project dependencies using mvn dependency:tree instead of the Gemnasium Maven plugin.

The dependency:tree plugin comes with Maven and requires no installation. It supports multiple graph formats, including DOT and graphml.

This has been tested with the java-maven test project.

Output files: dependencies.graphml dependencies.tgf dependencies.dot

See experiment

% docker run -ti --rm --workdir /app --volume $PWD:/app registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium-maven:2 /bin/bash

root@6caeee0c356b:/app# mvn dependency:tree -D outputType=dot -D outputFile=dependencies.dot
[INFO] Scanning for projects...
[INFO] 
[INFO] -----------< com.gitlab.security_products.tests:java-maven >------------
[INFO] Building java-maven 1.0-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ java-maven ---
[INFO] Wrote dependency tree to: /app/dependencies.dot
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  1.289 s
[INFO] Finished at: 2020-07-01T12:05:51Z
[INFO] ------------------------------------------------------------------------

root@6caeee0c356b:/app# mvn dependency:tree
[INFO] Scanning for projects...
[INFO] 
[INFO] -----------< com.gitlab.security_products.tests:java-maven >------------
[INFO] Building java-maven 1.0-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ java-maven ---
[INFO] com.gitlab.security_products.tests:java-maven:jar:1.0-SNAPSHOT
[INFO] +- org.powermock:powermock-api-mockito:jar:1.7.3:test
[INFO] |  +- org.powermock:powermock-api-mockito-common:jar:1.7.3:test
[INFO] |  |  \- org.powermock:powermock-api-support:jar:1.7.3:test
[INFO] |  |     +- org.powermock:powermock-reflect:jar:1.7.3:test
[INFO] |  |     \- org.powermock:powermock-core:jar:1.7.3:test
[INFO] |  |        \- org.javassist:javassist:jar:3.21.0-GA:test
[INFO] |  \- org.mockito:mockito-core:jar:1.10.19:test
[INFO] |     +- org.hamcrest:hamcrest-core:jar:1.1:test
[INFO] |     \- org.objenesis:objenesis:jar:2.1:test
[INFO] +- io.netty:netty:jar:3.9.1.Final:compile
[INFO] +- junit:junit:jar:3.8.1:test
[INFO] +- org.apache.maven:maven-artifact:jar:3.3.9:compile
[INFO] |  +- org.codehaus.plexus:plexus-utils:jar:3.0.22:compile
[INFO] |  \- org.apache.commons:commons-lang3:jar:3.4:compile
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.9.2:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.0:compile
[INFO] |  \- com.fasterxml.jackson.core:jackson-core:jar:2.9.2:compile
[INFO] +- org.mozilla:rhino:jar:1.7.10:compile
[INFO] \- org.apache.geode:geode-core:jar:1.1.1:compile
[INFO]    +- com.github.stephenc.findbugs:findbugs-annotations:jar:1.3.9-1:compile
[INFO]    +- org.jgroups:jgroups:jar:3.6.10.Final:compile
[INFO]    +- antlr:antlr:jar:2.7.7:compile
[INFO]    +- commons-io:commons-io:jar:2.3:compile
[INFO]    +- commons-lang:commons-lang:jar:2.5:compile
[INFO]    +- it.unimi.dsi:fastutil:jar:7.0.2:compile
[INFO]    +- javax.resource:javax.resource-api:jar:1.7:compile
[INFO]    |  \- javax.transaction:javax.transaction-api:jar:1.2:compile
[INFO]    +- net.java.dev.jna:jna:jar:4.0.0:compile
[INFO]    +- net.sf.jopt-simple:jopt-simple:jar:5.0.1:compile
[INFO]    +- org.apache.logging.log4j:log4j-api:jar:2.6.1:compile
[INFO]    +- org.apache.logging.log4j:log4j-core:jar:2.6.1:compile
[INFO]    +- org.apache.shiro:shiro-core:jar:1.3.1:compile
[INFO]    |  +- org.slf4j:slf4j-api:jar:1.6.4:compile
[INFO]    |  \- commons-beanutils:commons-beanutils:jar:1.8.3:compile
[INFO]    +- org.apache.geode:geode-common:jar:1.1.1:compile
[INFO]    \- org.apache.geode:geode-json:jar:1.1.1:compile
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  1.393 s
[INFO] Finished at: 2020-07-01T12:08:45Z
[INFO] ------------------------------------------------------------------------

Improvements

less code to maintain
no need to update gemnasium-maven after releasing a new version of gemnasium-maven-plugin
less dependencies, which reduces the risk of having vulnerable dependencies

Risks

the output of the new format should be compared to old output to verify that there is no important information loss

Implementation Plan

switch gemnasium-maven to invoke the maven dependency plugin to generate the dependency list (using the dot format (see discussion re dot vs graphml format in #271345 (closed)))
update gemnasium to parse the new dot format as a gonum/graph and then output the appropriate DepFile
to ensure that gemnasium-maven continues to work in offline mode, the maven plugin must be pulled into the analyzer at build time (see https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-maven/-/blob/master/utils/maven-plugin-builder/pom.xml)
remove gemnasium-maven-plugin from gemnasium-maven build and archive project

Involved components

gemnasium-maven needs to be updated
gemnasium-maven-plugin can be archived
gemnasium needs to be udpated to use the new output format

Testing

all java-maven downstream tests specified in gemnasium-maven .gitlab-ci.yml pass
the analyzer works in offline mode (there is a gap in our testing here, though qa does have tests for offline mode) (to be double checked for java-maven projects)

/cc @gonzoyumo @adamcohen

Edited Nov 24, 2020 by Igor Frenkel