Dependency check in fat jars

[Bernd Schönbach]

Hi,

I tried to set up the dependency check plugin in our Jenkins server. This seems to be running but when checking our jar files it seems 

that the check only sees the jars we create and does not check the dependencies referenced within the jar.

We create a fat jar and it seems that the dependency check is not able to see all the dependencies used there.

Is there any way to read the dependencies in such a scenario and have a decent dependency check?

thanks

Bernd

[Jeremy Long]

Unfortunately, most fat-jars do not contain enough information to identify the contained dependencies. Maven-shade-plugin is one of the exceptions in that it will embed a pom file for each dependency by default.

The best option for dependency-check analysis is direct integration into the build (i.e. using the maven or gradle plugin). Have it analyze the dependencies that are defined in the build and are being combined into the fat jar.

--Jeremmy

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-check+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.