Disabling FileNameAnalyzer?
19 views
Skip to first unread message
Maximilian Baritz
Nov 8, 2016, 9:05:34 AM11/8/16
to Dependency Check
Hello guys,
does any of you know of a way to disable the FileNameAnalyzer for
dependency-check-cli? I have not found anything, neither a CLI option
nor a properties entry.
Best Regards
Maximilian Baritz
does any of you know of a way to disable the FileNameAnalyzer for
dependency-check-cli? I have not found anything, neither a CLI option
nor a properties entry.
Best Regards
Maximilian Baritz
Jeremy Long
Nov 10, 2016, 2:15:26 PM11/10/16
to Maximilian Baritz, Dependency Check
I'll look at this closer tomorrow. However, why do you want to disable this? Is ot generating false positives due to evidence gathered? If so can you provide an example?
Regardless, I should likely add a disable property for each analyzer. Primary reason would be if an org wanted to modify a core analyzer and not use the built in version.
--jeremy
Maximilian Baritz
--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-check+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
colezlaw
Nov 12, 2016, 8:12:27 AM11/12/16
to Dependency Check
If it's generating false positives, you should look at adding a suppression for the false positives it's generating.
If you're in a pinch and really, really need to disable it, you can unzip the dependency-check-core-(version).jar, and in META-INF/services, edit org.owasp.dependencycheck.analyzer.Analyzer and remove the line with org.owasp.dependencycheck.analyzer.FileNameAnalyzer, then repackage it.
Jeremy Long
Nov 12, 2016, 10:51:31 AM11/12/16
to colezlaw, Dependency Check
Maximilian,
This is related to an existing open issue: https://github.com/jeremylong/DependencyCheck/issues/453.
I don't believe disabling the FileNameAnalyzer would actually solve your problem in this case (well, it might - but not for the right reason). Until issue #453 is resolved this will be a continuing problem as the AssemblyAnalyzer is bringing in the DLL version of the library and the NuSpec analyzer is creating a different dependency based on the information given. However, there is currently nothing tying these two analyzers together (to create a single dependency with information from both sources).
@colezlaw - is it possible to figure out the coordinates for the DLLs based off of a hash? I.e. is there some way we could tie these together?
--Jeremy
Reply all
Reply to author
Forward
0 new messages