dependency check reports with multi level POMs

[Arbi Sookazian]

Hello,

Using 1.4.5 version of the plugin.

We are currently using the dependency-check plugin to create a .xlsx file to create an inventory of our maven dependencies and track CVEs for security purposes.  The data in the .xlsx file consists of essentially a merge of data from maven dependency:tree and dependency-check:aggregate data.  Our POM structure is a master pom with n child poms each of which have m sub-child poms.  I noticed in the generated dependency report html that there is no column which indicates which modules the specific JAR is used in (I have that column in my workbook).  Is it possible to add that info to the reports as an option to the goal or is this an enhancement request?  If this could be added and the depedency report would capture all dependencies from all POMs in our structure, I don't think I'd need this Java client to create the .xlsx file.

I am noticing that the dependency:check and dependency:aggregate is failing when I run it from OS X bash cmd line with 1.4.5 version and there is no specific root cause displayed in the trace.  I just ran it for two master pom's (my Java client aggregates the data and writes via Apache POI to xlsx successfully).  I'm not sure how consistent/dependable this plugin.

Also, where exactly is the data for the NVD CVE stored on a Mac?  I was not able to find documentation or github issue info to answer this.  Is it by default an H2 db and if so is it stored on disk or in memory?  The skip for last 12 hrs for update seems buggy as I did not run the goal this weekend but it did skip (which is more than 12 hrs).

[Piyush Mittal]

column to indicate which modules specifies the JAR should be an enhancement request.

H2 DB Maven Location = ~/.m2/repository/org/owasp/dependency-check-data/3.0/dc.h2.db

H2 DB Gradle Location = ~/.gradle/caches/modules-2/files-2.1/org.owasp/dependency-check-utils/dependency-check-data/3.0/dc.h2.db

You can change default location with -DdataDirectory switch. 

Can you share how you are creating .xlsx file.

[Arbi Sookazian]

Using Apache POI to create .xlsx file.  I can't provide code details as our code is proprietary.  Sorry, thx.

[Arbi Sookazian]

Also, in 1.4.5 the reports are not sufficient for our use case.  We need to see all the Java/mvn dependencies in one place and we currently need to run my Java client aggregator program for multiple master POMs.  The reports html can not currently present all this information in one place afaik.

[Bill Demas]

Arbi,

We are doing something similar as you with multiple applications. We modified the html velocity template supplied with Dependency Check to output a table of all the libraries, vulnerabilities, color coded severity and matrix of library versions included in each application. The variables and values are available within the template to get what you want. Like yours, we cannot supply our code.

Also, you will need to check for template changes with each release of Dependency Check. Since v1.2.6, there have only been a few minor template changes.

thanks

Bill D.

---

From: Arbi Sookazian <asook...@gmail.com>
To: Dependency Check <dependen...@googlegroups.com>
Sent: Tuesday, May 16, 2017 1:42 PM
Subject: Re: dependency check reports with multi level POMs

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.