Last active
October 16, 2019 18:08
-
-
Save pierre-ernst/fc39d457a4deda91562669ecca9bd9d3 to your computer and use it in GitHub Desktop.
Converts an OWASP DependencyCheck XML output to a Maven pom.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package com.github.pierre_ernst; | |
import org.w3c.dom.Document; | |
import org.w3c.dom.NodeList; | |
import javax.xml.parsers.DocumentBuilderFactory; | |
import javax.xml.xpath.XPathConstants; | |
import javax.xml.xpath.XPathExpression; | |
import javax.xml.xpath.XPathFactory; | |
import java.io.File; | |
/** | |
* $ dependency-check.sh Core --format XML -s . | |
* $ java -cp . com.github.pierre_ernst.Odc2mvn dependency-check-report.xml > pom.xml | |
* $ mvn dependency:unpack-dependencies -Dclassifier=sources -DexcludeTransitive=true -DmarkersDirectory=/tmp -DoutputDirectory=./src | |
* | |
* Converts an OWASP DependencyCheck XML output to a Maven pom.xml | |
*/ | |
public class Odc2mvn { | |
public static void main(String... args) { | |
try { | |
if (args.length != 1) { | |
System.err.println("Usage: java " + Odc2mvn.class.getName() + " <OWASP-DependencyCheck-output.xml>"); | |
} else { | |
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); | |
dbf.setAttribute("http://apache.org/xml/features/disallow-doctype-decl", true); | |
Document odp = dbf.newDocumentBuilder().parse(new File(args[0])); | |
XPathExpression xp = XPathFactory.newInstance().newXPath().compile("/analysis/dependencies/dependency/identifiers/package[@confidence='HIGH']/id/text()"); | |
NodeList nl = (NodeList) xp.evaluate(odp, XPathConstants.NODESET); | |
System.out.println("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" + | |
"<project xmlns=\"http://maven.apache.org/POM/4.0.0\"\n" + | |
" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n" + | |
" xsi:schemaLocation=\"http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd\">\n" + | |
"\t<modelVersion>4.0.0</modelVersion>\n" + | |
"\t<groupId>com.github.pierre_ernst</groupId>\n" + | |
"\t<version>1</version>\n" + | |
"\t<artifactId>odc2mvn</artifactId>\n\t<dependencies>\n"); | |
for (int i = 0; i < nl.getLength(); i++) { | |
String purl = nl.item(i).getTextContent(); | |
if (purl.startsWith("pkg:maven/")) { | |
String mavenId = purl.substring(10); | |
String v = mavenId.split("@")[1]; | |
String g = mavenId.split("@")[0].split("/")[0]; | |
String a = mavenId.split("@")[0].split("/")[1]; | |
System.out.println("\t\t<dependency>\n\t\t\t<groupId>" + g + "</groupId>\n\t\t\t<artifactId>" + a + "</artifactId>\n\t\t\t<version>" + v + "</version>\n\t\t</dependency>\n"); | |
} | |
} | |
System.out.println("\t</dependencies>\n</project>"); | |
} | |
} catch (Exception ex) { | |
ex.printStackTrace(System.err); | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment