Why does dependencyCheckAggregate not find any vulnerable dependencies?

[ZabGo]

trafficstars

Hello,

I've got an multi-module Android project. When I run dependencyCheckAnalyze it will find vulnerable dependencies on each module. However when I run dependencyCheckAggregate, it will not find any vulnerable dependencies in any module.

How can I setup dependencyCheckAggregate so that it can find vulnerable dependencies and generate a report?

Thank you for you help! :-)

[jeremylong]

Do you have a sample project?

[chrste90]

Hi @jeremylong,

I have the same problem in a multi-module project.

I created a repository to show the problem: https://github.com/chrste90/deps-check-example

If you run ./gradlew dependencyCheckAnalyze you get the vulnerabilities from the old spring dependency. But if you run ./gradlew dependencyCheckAggregate the output says 0 vulnerabilities.

I hope the example project is working for you, the only thing which you should change is under buildSrc/src/main/groovy/java-common-conventions.gradle the data-block

If you need anything else to analyze the problem, i'm happy to help.

Thanks Chris

[chrste90]

I think i found a solution: I had to move the dependency-check config from buildSrc/src/main/groovy/*.gradle to the root build.gradle

I pushed an update to my example repository to show how i got it working.

Only small problem i have now is that i get an error from NET Assembly Analyzer which wasn't there before: .NET Assembly Analyzer could not be initialized and at least one 'exe' or 'dll' was scanned. The 'dotnet' executable could not be found on the path; either disable the Assembly Analyzer or add the path to dotnet core in the configuration. The dotnet 6.0 core runtime or SDK is required to analyze assemblies

This can be fixed by setting assemblyEnabled = false but i'm not sure why the error appeared now.