Ant task does not use project-relative paths for suppression file and output directory

[ChristopherSchultz]

When using the ant task with a reportoutputdirectory attribute and a <suppressionfile> child element where the paths are relative to the project root, running the ant task from the same directory as the build.xml file works as expected. However, when running e.g. ant -f /path/to/build.xml dependency-check from another directory, the suppression file is not found (unless fully-qualified from within the build script itself) and the report is written to a directory relative to the CWD of the invocation and not relative to the build.xml file, which is the typical expectation for relative paths in ant build scripts.

Version of dependency-check used
The problem occurs using version 12.1.0 of the Apache ant plugin

Log file
When reporting errors, 99% of the time log file output is required. Please post the log file as a gist and provide a link in the new issue.

To Reproduce
Steps to reproduce the behavior:

1. Use the following build.xml script in e.g. a temp directory:

<project name="test" default="dependency-check" basedir=".">
  <!-- TODO: Set this path properly -->
  <property name="dependency-check.home" value="${user.home}/packages/dependency-check-ant" />

  <target name="prep">
    <echo file="dependency-check-suppressions.xml">
&lt;suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd"&gt;
&lt;/suppressions&gt;
    </echo>
  </target>

  <target name="dependency-check" depends="prep">
    <path id="dependency-check.path">
      <pathelement location="${dependency-check.home}/dependency-check-ant.jar"/>
      <fileset dir="${dependency-check.home}/lib">
        <include name="*.jar"/>
      </fileset>
    </path>
    <taskdef resource="dependency-check-taskdefs.properties">
      <classpath refid="dependency-check.path" />
    </taskdef>

    <property name="dependency-check.output-dir" value="dep-check-report-dir" />
    <mkdir dir="${dependency-check.output-dir}" />
    <dependency-check projectname="${ant.project.name}" reportoutputdirectory="${dependency-check.output-dir}">
      <suppressionfile path="dependency-check-suppressions.xml" />
      <fileset dir="${dependency-check.home}">
        <include name="**/*.jar"/>
      </fileset>
    </dependency-check>
  </target>
</project>

2. Customize the value of the dependency-check ant library home
3. Run ant

This should run successfully, creating a suppression file alongside the build.xml script, creating a directory called dep-check-report-dir, and placing the report in that directory.

4. cd ..
5. ant -f temp/build.xml

This will fail because the suppressions file does not exist. It does exist, but it's in the temp directory, alongside the build.xml script. If you fix the reference to the suppression file to be ${basedir}/dependency-check-suppressions.xml", then the script completes, but the report is put into an unexpected place: ./dep-check-report-dirinstead of./temp/dep-check-report-dir`.

Ant's documentation says that any non-absolute path should be relative to the project's basedir, which defaults to the directory containing the build.xml file.

It would be nice for dependency-check to resolve these relative paths in the same way, for consistency.

[ChristopherSchultz]

I'd be happy to prepare a PR for this. I think this can be solved with a patch like this:

diff --git a/ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java b/ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java
index bfbb66721..94990e7c4 100644
--- a/ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java
+++ b/ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java
@@ -201,7 +201,7 @@ public class Check extends Update {
      * Specifies the destination directory for the generated Dependency-Check
      * report.
      */
-    private String reportOutputDirectory = ".";
+    private String reportOutputDirectory = resolveRelative(".");
     /**
      * If using the JUNIT report format the junitFailOnCVSS sets the CVSS score
      * threshold that is considered a failure. The default is 0.
@@ -527,7 +527,15 @@ public class Check extends Update {
      * @param suppressionFile the suppression file to add.
      */
     public void addConfiguredSuppressionFile(final SuppressionFile suppressionFile) {
-        suppressionFiles.add(suppressionFile.getPath());
+        suppressionFiles.add(resolveRelative(suppressionFile.getPath()));
+    }
+
+    private String resolveRelative(String filename) {
+        if (new java.io.File(filename).isAbsolute()) {
+            return filename;
+        } else {
+            return new java.io.File(getProject().getBaseDir(), filename);
+        }
     }
 
     /**
@@ -578,7 +586,7 @@ public class Check extends Update {
      * @param reportOutputDirectory new value of reportOutputDirectory
      */
     public void setReportOutputDirectory(String reportOutputDirectory) {
-        this.reportOutputDirectory = reportOutputDirectory;
+        this.reportOutputDirectory = resolveRelative(reportOutputDirectory);
     }
 
     /**
@@ -645,7 +653,7 @@ public class Check extends Update {
      * @param suppressionFile new value of suppressionFile
      */
     public void setSuppressionFile(String suppressionFile) {
-        suppressionFiles.add(suppressionFile);
+        suppressionFiles.add(resolveRelative(suppressionFile));
     }
 
     /**

If this looks like the right approach, I'll prepare a PR.

[ChristopherSchultz]

It also looks like this configuration setting might benefit from being relative to the basedir as well: bundleAuditWorkingDirectory.

[jeremylong]

PRs are welcome - don't think any of the core maintainers utilize Ant. I built the task, early on, to the best of my ability.

[marcelstoer]

@ChristopherSchultz I can see this being a useful fix for Ant users and would support a PR (fix plus updated documentation).