DependencyCheck icon indicating copy to clipboard operation
DependencyCheck copied to clipboard

Published 20 hours ago verified publisher icon jeremylong

spring-context-support is sometimes not grouped with other springframework libraries

Open MichaelVetter opened this issue 3 years ago • 2 comments

In the HTML report the library spring-context-support is sometimes not grouped with other springframework libraries but listed as a separate entry with the same vulnerability. This happens usually every second build. In the other builds it is listed under "Related Dependencies" of other springframework libraries.

pkg:maven/org.springframework/[email protected]

The problem occurs using version 5.3.2 of the maven plugin

In the maven log I do not see anything related to that problem.

May be it is a similar problem like #917.

MichaelVetter avatar Sep 22 '20 14:09 MichaelVetter

Any chance you have an example pom.xml or build.gradle?

jeremylong avatar Sep 25 '20 09:09 jeremylong

We run the check on a war file, here is the maven configuration:

        <plugin>
          <groupId>org.owasp</groupId>
          <artifactId>dependency-check-maven</artifactId>
        <version>${dependency-check-maven.version}</version>
          <executions>
            <execution>
              <id>check</id>
              <goals>
                <goal>check</goal>
              </goals>
            </execution>
          </executions>
          <configuration>
            <formats>HTML,XML,JUNIT,JSON</formats>
            <prettyPrint>false</prettyPrint>
            <outputDirectory>${project.build.directory}/owasp</outputDirectory>
            <dataDirectory>${data.owasp.home}</dataDirectory>
            <nodeAnalyzerEnabled>false</nodeAnalyzerEnabled>
            <opensslAnalyzerEnabled>false</opensslAnalyzerEnabled>
            <ossindexAnalyzerEnabled>true</ossindexAnalyzerEnabled>
            <centralAnalyzerEnabled>true</centralAnalyzerEnabled>
            <nexusAnalyzerEnabled>false</nexusAnalyzerEnabled>
            <enableExperimental>false</enableExperimental>
            <autoUpdate>true</autoUpdate>
            <failOnError>false</failOnError>
            <skipDependencyManagement>true</skipDependencyManagement>
            <skipProvidedScope>true</skipProvidedScope>
            <skipSystemScope>true</skipSystemScope>
            <skipRuntimeScope>true</skipRuntimeScope>
            <suppressionFiles>
              <suppressionFile>src/build/dependency-suppression.xml</suppressionFile>
            </suppressionFiles>
            <mavenSettings>
              <proxy>
                <host>${owasp.maven.proxy.host}</host>
                <port>${owasp.maven.proxy.port}</port>
              </proxy>
            </mavenSettings>
          <scanSet>
            <FileSet>
              <directory>../mydir</directory>
              <includes>
                <include>**/*.ear</include>
                <include>**/*.war</include>
              </includes>
            </FileSet>
          </scanSet>
          </configuration>
        </plugin>

MichaelVetter avatar Sep 25 '20 10:09 MichaelVetter