Hey folks,
I am experimenting with DependencyCheck for a few days now. Upon
scanning different maven projects I have encountered a problem.
I am scanning a java project with a pom.xml file in its root. The
pom.xml file clearly lists dependencies, I replaced some confidential
strings and pasted it over here
http://pastebin.com/BFjY72AS
Whenever I run depcheck in the project directory/on the pom.xml file,
the list of detected dependencies is empty.
When zipping the pom.xml into a .jar and scanning it, depcheck detects a
dependency with the project information (artifactid, description,
groupid, parent*, etc), but does not detect the "nested dependencies"
from the pom.xml either.
Is this behavior desired? Can anyone assist me on this problem? I
thought about writing a new analyzer to handle pom.xml dependencies, but
felt like this should already be included by default. Maybe I am just
too dumb to find it in the source / pass the right command line options.
I would appreciate any help or tips regarding this problem.
Thanks in advance and kudos for providing such a great tool,
Maximilian Baritz