Problems parsing pom.xml
17 views
Skip to first unread message
Maximilian Baritz
Aug 29, 2016, 4:24:42 AM8/29/16
to dependen...@googlegroups.com
Hey folks,
I am experimenting with DependencyCheck for a few days now. Upon
scanning different maven projects I have encountered a problem.
I am scanning a java project with a pom.xml file in its root. The
pom.xml file clearly lists dependencies, I replaced some confidential
strings and pasted it over here http://pastebin.com/BFjY72AS
Whenever I run depcheck in the project directory/on the pom.xml file,
the list of detected dependencies is empty.
When zipping the pom.xml into a .jar and scanning it, depcheck detects a
dependency with the project information (artifactid, description,
groupid, parent*, etc), but does not detect the "nested dependencies"
from the pom.xml either.
Is this behavior desired? Can anyone assist me on this problem? I
thought about writing a new analyzer to handle pom.xml dependencies, but
felt like this should already be included by default. Maybe I am just
too dumb to find it in the source / pass the right command line options.
I would appreciate any help or tips regarding this problem.
Thanks in advance and kudos for providing such a great tool,
Maximilian Baritz
I am experimenting with DependencyCheck for a few days now. Upon
scanning different maven projects I have encountered a problem.
I am scanning a java project with a pom.xml file in its root. The
pom.xml file clearly lists dependencies, I replaced some confidential
strings and pasted it over here http://pastebin.com/BFjY72AS
Whenever I run depcheck in the project directory/on the pom.xml file,
the list of detected dependencies is empty.
When zipping the pom.xml into a .jar and scanning it, depcheck detects a
dependency with the project information (artifactid, description,
groupid, parent*, etc), but does not detect the "nested dependencies"
from the pom.xml either.
Is this behavior desired? Can anyone assist me on this problem? I
thought about writing a new analyzer to handle pom.xml dependencies, but
felt like this should already be included by default. Maybe I am just
too dumb to find it in the source / pass the right command line options.
I would appreciate any help or tips regarding this problem.
Thanks in advance and kudos for providing such a great tool,
Maximilian Baritz
Jeremy Long
Aug 30, 2016, 6:01:39 AM8/30/16
to Maximilian Baritz, dependen...@googlegroups.com
I'm guessing you are trying to scan the maven project with the CLI instead of the maven plugin. The CLI should be used to scan the actual resulting JAR/WAR/EAR files (i.e. what is actually being deployed) - not the actual uncompiled project. Instead use the dependency-check-maven plugin:
mvn org.owasp:dependency-check-maven:1.4.2:check
More information on the Maven plugin can be found here: http://jeremylong.github.io/DependencyCheck/dependency-check-maven/index.html
Best Regards,
Jeremy
--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-check+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages