Documentation for related dependencies
8 views
Skip to first unread message
Vít Šesták
Mar 6, 2018, 8:39:01 AM3/6/18
to Dependency Check
Hello,
I'd like to ask about related dependencies. There seems to be no documentation for that. In the past, it seemed to group some dependencies (e.g., tomcat-coyote) with another parts of the same package (e.g., another Tomcat-related library), which used to be a bit imperfect. Now, I see only bundling libraries with the same hash (but I haven't checked it deeply). Is there any documentation of the behavior and ideas behind?
Regards,
Vít Šesták 'v6ak'
I'd like to ask about related dependencies. There seems to be no documentation for that. In the past, it seemed to group some dependencies (e.g., tomcat-coyote) with another parts of the same package (e.g., another Tomcat-related library), which used to be a bit imperfect. Now, I see only bundling libraries with the same hash (but I haven't checked it deeply). Is there any documentation of the behavior and ideas behind?
Regards,
Vít Šesták 'v6ak'
Jeremy Long
Mar 9, 2018, 6:51:28 AM3/9/18
to Vít Šesták, Dependency Check
You are correct in that this has not really been documented well (or at all). The tool tries to bundle related dependencies together - so that if you had 15 spring-* libraries with the same CPE identified it would only put a single row in the report and include all of the related dependencies.
High level summary of the logic is if the dependencies have the same CPE and appear to be the same (based on the name of the dependency) then it tries to determine the "core" library and make everything else a related dependency.
--Jeremy
--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-check+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages