No Matches found when running Report
90 views
Skip to first unread message
Curtis F
Jan 5, 2016, 7:03:37 PM1/5/16
to Black Duck Vulnerability Report
Running with our Gradle builds, the Jenkins plugin reports all of the OSS jars as "unknown". The log shows "No Matches Found". What is the plugin matching against? Is it a "group" problem?
[INFO] Dependency{ group: com.fngn.jars, artifact: commons-fileupload-1.3, version: 1.0}
** No Match Found
[INFO] Dependency{ group: com.fngn.jars, artifact: freemarker-2.3.19, version: 1.0}
** No Match Found[INFO] Dependency{ group: com.fngn.jars, artifact: spring-tx-3.2.11.RELEASE, version: 1.0} ** No Match Found [INFO] Dependency{ group: com.fngn.jars, artifact: salesforce-enterprise, version: 1.0} ** No Match Found [INFO] Dependency{ group: com.fngn.jars, artifact: spring-core-3.2.11.RELEASE, version: 1.0} ** No Match Found
Kaj Kandler
Jan 5, 2016, 8:21:59 PM1/5/16
to Black Duck Vulnerability Report
Curtis,
these are unusual Group/Artifact/Version IDs. You are right to suspect we are not matching those because of the group. How come you resolve them as such?
For example the group for
* fileupload is commons-fileupload - http://mvnrepository.com/artifact/commons-fileupload/commons-fileupload/1.3
* freemarker is org.freemarker - http://mvnrepository.com/artifact/org.freemarker/freemarker/2.3.19
* spring-tx and spring-core is org.springframework - http://mvnrepository.com/artifact/org.springframework/spring-tx/3.2.11.RELEASE
Also odd is that the artifacts include some sort of version, i.e. 3.2.11-RELEASE, but the version is declared as 1.0 for all of them.
Could you share a snippet of your gradle dependency declaration? May be we interpret something oddly
Kaj
these are unusual Group/Artifact/Version IDs. You are right to suspect we are not matching those because of the group. How come you resolve them as such?
For example the group for
* fileupload is commons-fileupload - http://mvnrepository.com/artifact/commons-fileupload/commons-fileupload/1.3
* freemarker is org.freemarker - http://mvnrepository.com/artifact/org.freemarker/freemarker/2.3.19
* spring-tx and spring-core is org.springframework - http://mvnrepository.com/artifact/org.springframework/spring-tx/3.2.11.RELEASE
Also odd is that the artifacts include some sort of version, i.e. 3.2.11-RELEASE, but the version is declared as 1.0 for all of them.
Could you share a snippet of your gradle dependency declaration? May be we interpret something oddly
Kaj
Curtis F
Jan 5, 2016, 8:31:29 PM1/5/16
to Black Duck Vulnerability Report
Does Black Duck use Fingerprint/Hashes to identify the jars?
Kaj Kandler
Jan 5, 2016, 8:39:12 PM1/5/16
to Black Duck Vulnerability Report
Curtis,
This free plugin uses the Maven GAV as the ID for a jar. We do not touch the jars here, to be super efficient. Maven/Gradle tells us it resolves an artifact with particular GAV and we look it up in our knowledgebase.
Kind regards,
Kaj
P.S.: Our commercial products con do more sophisticated identification of files and jar though, involving techniques similar to finger prints and hashes.
Curtis F
Jan 5, 2016, 8:44:49 PM1/5/16
to Black Duck Vulnerability Report
Thanks for the reply. I am going to look at evaluating your Hub and Artifactory plugin options.
Reply all
Reply to author
Forward
0 new messages