RobSHK

Results 13 comments of RobSHK

dependency-check-maven:9.0.7:aggregate ignores hostedSuppressionsUrl and knownExploitedUrl?

I assume that the URI is correctly supplied, the parameters are defined within the pom.xml, referencing to files which are located in our Nexus Repository: `https://nexsus-server/nexus/repository/binaries/xx/xxx/xxx/owasp-v9/publishedSuppressions/latest/publishedSuppressions-latest.xml https://nexsus-server/nexus/repository/binaries/xx/xxx/xxx/owasp-v9/known_exploited_vulnerabilities/latest/known_exploited_vulnerabilities-latest.json`

dependency-check-maven:9.0.7:aggregate ignores hostedSuppressionsUrl and knownExploitedUrl?

> `https://nexsus-server/nexus/repository/binaries/xx/xxx/xxx/` are you sure that's not a typo and should be `nexus-server` instead? Sure it is a typo, I've changed the real nexus address, just to avoid sharing our...

dependency-check-maven:9.0.7:aggregate ignores hostedSuppressionsUrl and knownExploitedUrl?

> I've never seen a configuration that used: ``. I'd expect something more like: > > ``` > > org.owasp > dependency-check-maven > 9.0.7 > > https://nexsus-server/nexus/repository/binaries/xx/xxx/xxx/owasp-v9/publishedSuppressions/latest/publishedSuppressions-latest.xml > > >...

dependency-check-maven:9.0.7:aggregate ignores hostedSuppressionsUrl and knownExploitedUrl?

> > > `https://nexsus-server/nexus/repository/binaries/xx/xxx/xxx/` are you sure that's not a typo and should be `nexus-server` instead? > > > > > > Sure it is a typo, I've changed the...

dependency-check-maven:9.0.7:aggregate ignores hostedSuppressionsUrl and knownExploitedUrl?

> If your nexus requires auth - it could be being blocked. Again as in my last comment, in that case shouldn't also the knownExploitedUrl throw a warning or error?...

dependency-check-maven:9.0.7:aggregate ignores hostedSuppressionsUrl and knownExploitedUrl?

For the avoidance of doubt I just tested it also with a local file, same behavior. `file:///home/jenkins/temp/publishedSuppressions.xml https://nexus-server/nexus/repository/binaries/XXX/XXX/XXX/owasp-v9/known_exploited_vulnerabilities/latest/known_exploited_vulnerabilities-latest.json ` `[INFO] --- dependency-check-maven:9.0.7:aggregate (default) @ vcmobile-pom --- [INFO] Found snapshot reactor...

dependency-check-maven:9.0.7:aggregate ignores hostedSuppressionsUrl and knownExploitedUrl?

> publishedSuppressions.xml Where is that cache located? or better how could I avoid that and that the up to date hosted suppression file will be used?

dependency-check-maven:9.0.7:aggregate ignores hostedSuppressionsUrl and knownExploitedUrl?

This could be closed, I've added the hostedSuppressionsForceUpdate as suggested, afterwards the warnings are gone. Thank you.

9.0.2 with external Oracle DB fails

In this case how should I solve the update-only errors? such as: ``` [ERROR] Failed to process CVE-2022-42344 org.owasp.dependencycheck.analyzer.exception.UnexpectedAnalysisException: java.sql.SQLException: Invalid column type: 16 at org.owasp.dependencycheck.data.nvdcve.CveDB.updateOrInsertVulnerability (CveDB.java:1058) at org.owasp.dependencycheck.data.nvdcve.CveDB.updateVulnerability (CveDB.java:866)...

9.0.2 with external Oracle DB fails

@jeremylong now I'm realy confused, you suggested not to recreate the database https://github.com/jeremylong/DependencyCheck/issues/6116#issuecomment-1829571097