Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Scan of local .m2 folder

See original GitHub issue

I use OWASP Dependency Checker to scan code in pipelines. I do it after building of it.

I found that some project use local maven repository e.g.: /jenkins/workspace/MyProject/.m2/

Should I scan this folder or better to exclude it? I think the second option is better cause .m2 could contains plugins, test libraries etc

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:5 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
jeremylongcommented, Dec 10, 2019

The .m2 folder should be skipped in this scenario.

0reactions
jeremylongcommented, Dec 16, 2019

In cases of supporting a ton of different projects - have you considered something like:

if test -f "pom.xml"; then
   mvn org.owasp:dependency-check-maven:aggregate
   publish ./target/dependency-check.xml
elif  test -f "build.gradle"; then
   gradle --init-script /path/to/customDependencyCheckConfig.gradle dependencyCheckAggregate
   publish ./build/reports/dependency-check.xml
else
   dependency-check.sh -s . -o . -f XML
   publish ./dependency-check.xml
fi

Of course the above is psuedo-code and would need the correct publish mechanism added. For gradle see the documentation on init-scripts - I haven’t done this myself yet, but basically you could more correctly cover gradle and maven builds out of the box with just a little scripting to detect the build system used.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Where is Maven local repository? - Mkyong.com
By default, Maven local repository is defaulted to ${user.home}/.m2/repository folder : ... localRepository [INFO] Scanning for projects.
Read more >
How to get the Maven local repo location? - Stack Overflow
Usually it's in: C:\Users\USER_NAME\.m2\repository . However the mvn help:effective-settings command will surely show the local path in response xml.
Read more >
Solved: Bamboo Java specs - local .m2 repository
Solved: Hey, I'm trying to create some shared libraries for Bamboo Specs, I install this package in the bamboo server using mvn install...
Read more >
Handling .m2 repositories - Fortify User Discussions
I am running my scan various ways: Jenkins using the maven plugin; Local machine using maven plugin at top level pom file and...
Read more >
Force IntelliJ to read local maven repository when it loses ...
IntelliJ frequently "forgets" or fails to detect new/updated artifacts in my local Maven repository. Is there a way to force it...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

New year bug

Next page

ACC 3.2.1's output is not sufficient