OWASP dependency-check 2.0.1 released!

167 views
Skip to first unread message

Jeremy Long

unread,
Jul 9, 2017, 7:08:55 AM7/9/17
to Dependency Check
The OWASP dependency-check team is pleased to announce the release of version 2.0.1! Please visit the documentation site for information on obtaining the new version (CLIMaven PluginAnt TaskGradle PluginJenkins Plugin, and SBT Plugin).

Release Notes
-------------------
  • Fixed issues when used with a proxy
  • Fixed issue with .NET Assembly Analyzer
For gradle users, when upgrading from 1.x to 2.x the `dependencyCheck` task was renamed to `dependencyCheckAnalyze`

Best Regards,

The OWASP dependency-check team

Arbi Sookazian

unread,
Jul 12, 2017, 2:37:20 PM7/12/17
to Dependency Check
Seeing following error with 2.0.1 same projects, what changes to cmd line are required if any?  Running 'mvn dependency-check:aggregate'.  thx.

[ERROR] Failed to execute goal org.owasp:dependency-check-maven:2.0.1:aggregate (default-cli) on project global-parent: Execution default-cli of goal org.owasp:dependency-check-maven:2.0.1:aggregate failed. NullPointerException -> [Help 1]

org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.owasp:dependency-check-maven:2.0.1:aggregate (default-cli) on project global-parent: Execution default-cli of goal org.owasp:dependency-check-maven:2.0.1:aggregate failed.

at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:212)

at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:153)

at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:145)

at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:116)

at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:80)

at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:51)

at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:128)

at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:307)

at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:193)

at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:106)

at org.apache.maven.cli.MavenCli.execute(MavenCli.java:863)

at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:288)

at org.apache.maven.cli.MavenCli.main(MavenCli.java:199)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:498)

at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:289)

at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:229)

at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:415)

at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:356)

Caused by: org.apache.maven.plugin.PluginExecutionException: Execution default-cli of goal org.owasp:dependency-check-maven:2.0.1:aggregate failed.

at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:145)

at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:207)

... 20 more

Caused by: java.lang.NullPointerException

at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.collectDependencies(BaseDependencyCheckMojo.java:694)

at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.collectDependencies(BaseDependencyCheckMojo.java:672)

at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.scanArtifacts(BaseDependencyCheckMojo.java:644)

at org.owasp.dependencycheck.maven.AggregateMojo.runCheck(AggregateMojo.java:81)

at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute(BaseDependencyCheckMojo.java:514)

at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:134)

... 21 more

Hans Aikema

unread,
Jul 12, 2017, 2:59:56 PM7/12/17
to Arbi Sookazian, Dependency Check
The exception is caused by a bug in DependencyCheck, nothing you can do from the cmd line, however you might be able to make the system-scoped dependencies in your pom resolvable (the error is in the handling of failure to resolve a system-scoped dependency by the maven dependency resolution)

@Jeremy I'll create a github issue for this one and will start coding a fix for it.

regards,
Hans Aikema
--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-------------------
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, equensWorldline or Worldline group’s liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de equensWorldline ou du groupe Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis.
-------------------

andreas...@coremedia.com

unread,
Jul 13, 2017, 8:55:09 AM7/13/17
to Dependency Check
Hi Jeremy,

after updating from 1.4.5 to 2.0.1, my suppression file is ignored when I invoke the Maven goal from the command line as follows:

mvn org.owasp:dependency-check-maven:2.0.1:aggregate -DsuppressionFile=suppressions.xml ...

The report is generated but no false positives get suppressed. This used to work with 1.4.5
Do I have to make any changes to command line?

Thanks,
Andreas

Jeremy Long

unread,
Jul 14, 2017, 5:56:40 AM7/14/17
to andreas...@coremedia.com, Dependency Check
Please open an issue in github here so that we can better track and respond to the problems you are facing.

Thanks!

Jeremy

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-check+unsubscribe@googlegroups.com.

Piyush Mittal

unread,
Jul 24, 2017, 2:26:11 AM7/24/17
to Dependency Check
Reply all
Reply to author
Forward
0 new messages