Skip transitive dependencies analysis in aggregate mode

19 views
Skip to first unread message

Piyush Mittal

unread,
Nov 12, 2017, 7:06:09 AM11/12/17
to Dependency Check
I have multiple sub-projects and I just want to scan only dependencies directly specified in sub-projects POM file. So, is there any way to skip analysis of transitive dependencies in aggregate mode.

Jeremy Long

unread,
Nov 12, 2017, 8:35:09 AM11/12/17
to Piyush Mittal, Dependency Check
Currently, there is no way to skip transitive dependencies. In reality, I'm not sure why you would want to as this could increase false negatives.

--Jeremy

On Sun, Nov 12, 2017 at 7:06 AM, Piyush Mittal <piyus...@gmail.com> wrote:
I have multiple sub-projects and I just want to scan only dependencies directly specified in sub-projects POM file. So, is there any way to skip analysis of transitive dependencies in aggregate mode.

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-check+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Piyush Mittal

unread,
Nov 24, 2017, 2:31:00 AM11/24/17
to Dependency Check
Sorry, for the delayed response. 

The idea is to first target only direct dependencies (one's directly mentioned in POM) upgrade.


On Sunday, November 12, 2017 at 7:05:09 PM UTC+5:30, Jeremy Long wrote:
Currently, there is no way to skip transitive dependencies. In reality, I'm not sure why you would want to as this could increase false negatives.

--Jeremy
On Sun, Nov 12, 2017 at 7:06 AM, Piyush Mittal <piyus...@gmail.com> wrote:
I have multiple sub-projects and I just want to scan only dependencies directly specified in sub-projects POM file. So, is there any way to skip analysis of transitive dependencies in aggregate mode.

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.

Jeremy Long

unread,
Dec 22, 2017, 7:11:09 AM12/22/17
to Dependency Check
I know of one group that has written a script to extract info from both `mvn dependency:tree` and the json report.  But I don't believe they have posted it anywhere.  

--Jeremy
Reply all
Reply to author
Forward
0 new messages