Maven Kotlin Project
13 views
Skip to first unread message
Jay Rod
Jan 4, 2021, 7:04:43 PM1/4/21
to Dependency Check
Hello,
I have been looking for a confirmation that the dependency checker is 100% compatible with Kotlin Maven projects.
From reading the documentation, my understanding is that the analysis is based mostly on the artifact, pom.xml, and .jar files and those should have pretty much the same structure for Kotlin and Java projects?
Would anyone be able to confirm or deny this assumption?
Thank you,
Jay
John Patrick
Jan 5, 2021, 8:16:23 AM1/5/21
to Jay Rod, Dependency Check
The plugin doesn't look at the jar files or the source code, it only
looks at the pom files and specifically the dependencies. It checks
the GAV (GroupId, ArtifactId and Version) to see if you have any
matches against the known vulnerabilities databases.
So as long as security researches are checking Kotlin Projects and
putting those GAV's into the vulnerability database, you'll be
covered.
You might get false negatives results if someone changes a Java
Project into a Kotlin 'version', either by wrapping it or re-writing
it, and then breaking the GAV dependency change or giving it a new
GAV.
Hope that helps...
John
> --
> You received this message because you are subscribed to the Google Groups "Dependency Check" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/dependency-check/0880466a-c52f-4fce-981a-1b9677b004f2n%40googlegroups.com.
looks at the pom files and specifically the dependencies. It checks
the GAV (GroupId, ArtifactId and Version) to see if you have any
matches against the known vulnerabilities databases.
So as long as security researches are checking Kotlin Projects and
putting those GAV's into the vulnerability database, you'll be
covered.
You might get false negatives results if someone changes a Java
Project into a Kotlin 'version', either by wrapping it or re-writing
it, and then breaking the GAV dependency change or giving it a new
GAV.
Hope that helps...
John
> You received this message because you are subscribed to the Google Groups "Dependency Check" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/dependency-check/0880466a-c52f-4fce-981a-1b9677b004f2n%40googlegroups.com.
Jay Rod
Jan 5, 2021, 12:23:21 PM1/5/21
to Dependency Check
Thank you for your reply, John!
It definitely helps!
I read here that the checker also scans the package names within the JAR files and I was wondering if those files could have any difference depending whether it is a Java or Kotlin project. I suspect the answer is "no", but it would be great if you or someone else could confirm that as well?
Thanks again,
Jay
Reply all
Reply to author
Forward
0 new messages