How to have a fork of a php project still get security checks with owasp dependency check

Question

We use owasp dependency check against a php project using composer.

Many of the modules are forked from an upstream repo and into an internal git repo. Since the names of the forks do not match the upstream name, dependency check will not be able to match them with CVE's.

Is there any way to alias or indicate that a composer entry is a fork so that it will be able to identify the security issues?

Answer 1

The "hints" was exactly what I needed.

The steps in case someone else needs something similar.

1. In a temp project I created a composer.json with the upstream project in it
2. ran "composer install" to create the composer.lock file
3. ran "dependency-check --project "temp-project" --scan "." --enableExperimental" to create a report so I could get the evidence of the vendor and product.
4. In the project that uses a forked repo, I create a file called "dependency-check-hints.xml" and put the made up forked vendor and product names in the "given" section and the upstream vendor and product.
5. Then I ran "dependency-check --project "project-that-uses-fork" --scan "." --enableExperimental --hints dependency-check-hints.xml"

<?xml version="1.0" encoding="UTF-8"?>
<hints xmlns="https://jeremylong.github.io/DependencyCheck/dependency-hint.1.1.xsd">
  <hint>
    <given>
      <evidence type="vendor" source="composer.lock" name="vendor" value="my-project-name" confidence="HIGHEST" />
      <evidence type="product" source="composer.lock" name="product" value="fork-of-project" confidence="HIGHEST" />
    </given>
    <add>
      <evidence type="vendor" source="hint analyzer" name="vendor" value="upstream-project-name" confidence="HIGHEST" />
      <evidence type="product" source="hint analyzer" name="product" value="upstream-project" confidence="HIGHEST" />
    </add>
  </hint>
</hints>