Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Not able to exclude transitive dependencies from a scan?
See original GitHub issueHi,
I am using the ./gradlew dependencyCheckAggregate command to generate the dependency report HTML file for one of my Gradle projects. It works fine and lists both direct and transitive jar dependencies which are vulnerable as per the NVD database. However, I tried multiple ways but failed to figure out a way wherein I want to only list the direct dependencies? Is there any way through which I can list the direct dependencies only? Below is the build.gradle file for reference –
File snippet -
plugins {
id 'org.owasp.dependencycheck' version '6.5.3'
}
repositories {
mavenCentral()
}
subprojects {
apply plugin: 'org.owasp.dependencycheck'
dependencyCheck {
outputDirectory = 'security-report'
failOnError = true
}
}
Is this some feature that is missing from this plugin? or something else? Please confirm.
Issue Analytics
- State:
- Created 2 years ago
- Comments:6 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I won’t disagree that when using the maven or gradle plugin we could do better about indicating where in the dependency tree the vulnerable component is - however, how much one should worry about the transitive dependencies is complicated.
Used but undeclared dependencies(see an example dependency-analysis reportYes, upgrading transitive dependencies can be difficult and sometimes impossible unless you are willing to put in a PR to the direct dependency to help them upgrade. However, just ignoring them is likely not the best option.
@aikebah I have been trying to come up with an easier way for Maven and Gradle to display the dependency tree for transitive deps. Something like adding a row above related dependencies that shows the path:
Hierarchy
org.junit.jupiter:junit-jupiter-api -> org.apiguardian:apiguardian-api