Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Running dependency-check on multi module build

See original GitHub issue

Maven version: 3.6.1 Dependency check version: 5.2.1

Hi,

I have a multi module maven build and am trying to determine the correct configuration for running dependency check from the top level and generating a collated report of all sub modules. Please can you help?

I have the following config in my parent pom:

<pluginManagement>
            <plugins>
                <plugin>
                    <groupId>org.owasp</groupId>
                    <artifactId>dependency-check-maven</artifactId>
                    <version>${owasp-maven-plugin.version}</version>
                    <executions>
                        <execution>
                            <phase>none</phase>
                            <goals>
                                <goal>check</goal>
                            </goals>
                        </execution>
                    </executions>
                    <configuration>
                        <format>html</format>
                        <outputDirectory>${project.basedir}/target</outputDirectory>
                        <failBuildOnCVSS>0</failBuildOnCVSS>
                        <cveValidForHours>168</cveValidForHours>
                        <centralAnalyzerEnabled>false</centralAnalyzerEnabled>
                        <nexusAnalyzerEnabled>false</nexusAnalyzerEnabled>
                        <pyDistributionAnalyzerEnabled>false</pyDistributionAnalyzerEnabled>
                        <pyPackageAnalyzerEnabled>false</pyPackageAnalyzerEnabled>
                        <rubygemsAnalyzerEnabled>false</rubygemsAnalyzerEnabled>
                        <cmakeAnalyzerEnabled>false</cmakeAnalyzerEnabled>
                        <autoconfAnalyzerEnabled>false</autoconfAnalyzerEnabled>
                        <composerAnalyzerEnabled>false</composerAnalyzerEnabled>
                        <nodeAnalyzerEnabled>false</nodeAnalyzerEnabled>
                        <nuspecAnalyzerEnabled>false</nuspecAnalyzerEnabled>
                        <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
                        <retireJsAnalyzerEnabled>false</retireJsAnalyzerEnabled>
                    </configuration>
                </plugin>
           </plugins>
</pluginManagement>

I have 9 sub modules, each with the following config:

<plugins>
            <plugin>
                <groupId>org.owasp</groupId>
                <artifactId>dependency-check-maven</artifactId>
                <configuration>
                    <suppressionFile>${project.parent.basedir}/owasp-suppressions.xml</suppressionFile>
                </configuration>
            </plugin>
</plugins>

I am running mvn dependency-check:check from the top level, but the report appears to only show information from the top-level (parent) project.

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:12 (6 by maintainers)

github_iconTop GitHub Comments

1reaction
mprinscommented, Aug 19, 2019

Also, only a report for the top-level project appears to be generated

this is why it is called an aggregate, it shows all of your project in 1 aggregate, if it just scanned the paren - which should have no dependencies - your report would be empty

0reactions
jeremylongcommented, Dec 10, 2019

At the moment - there is no way to skip specific children in an aggregate report. Also, without putting inherited=false in the parent you will receive an aggregate report generated for the parent that will contain everything AND an aggregate report for each child (aggregating itself and any of its child poms).

One option to explore would be to setup a profile that excluded the children you don’t want to include and run dependency-check under that profile.

Read more comments on GitHub >

github_iconTop Results From Across the Web

dependency-check:aggregate
Maven Plugin that checks project dependencies and the dependencies of all child modules to ... Fail the build if any dependency has a...
Read more >
Sonar Configuration for multi-module project with OWASP ...
Hi, I've multi module project setup. ... sonar-scanner run fine but skip to pick up the dependency check as It always check ...
Read more >
Using OWASP Dependency Check with Maven
In this post we will set up OWASP DependencyCheck in a Maven project and test it against the Apache Struts2 vulnerability CVE-2017-5638 that...
Read more >
sonar-maven-plugin with multi-module maven - Stack Overflow
Ok, so have contacted the author and the dependency-check-sonar-plugin doesn't work with a multi-module maven project.
Read more >
Adding vulnerabilities check on maven or gradle
Maven. For maven, you only have to add the plugin and indicate the goal “check” if we want it to run automatically when...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

PKIX path building failed :: javax.net.ssl.SSLHandshakeException on nvd.nist.gov

Next page

NodeAuditAnalyzer fails when hitting a 400 Bad Request where `npm audit` succeeds