ant database not getting populated

[Cam Morris]

When running the ant task (version 1.2 and 1.1.4) I get this error:

dependency-check:

[dependencycheck] Apr 28, 2014 11:35:59 AM org.owasp.dependencycheck.Engine analyzeDependencies

[dependencycheck] SEVERE: No documents exist

[dependencycheck] 

[dependencycheck] Unable to continue dependency-check analysis.

Looking through the code I'm thinking the database must be empty.  So I ran the command-line version against the same test project (it just has a few jars that I know have some findings against them)

It works great, as expected.  So I copy over the database from the CLI into the ant project into "dependency-check-data" and it gets farther but still doesn't show anything in the report.

So stepping through the code, I see lots of analysis phases but no analyzers, on line 337 of Engine.java.   

Here is my build.xml:

<project name="MyProject" default="dependency-check" basedir=".">

  <description>

    simple example build file

  </description>

  <!--<taskdef file="taskdefs.properties" classpath="/home/cmorris/.gradle/caches/modules-2/files-2.1/org.owasp/dependency-check-ant/1.2.0/838ed22d9bbbf236ad2a252e60258c3a14a3836a/dependency-check-ant-1.2.0.jar" />-->

  <taskdef file="taskdefs.properties" classpath="dependency-check-ant-1.2.0.jar" />

  <target name="dependency-check" description="Dependency-Check Analysis">

    <dependencycheck applicationname="test"

                      reportoutputdirectory="${basedir}/reports/"

                      autoupdate="true"

                      reportformat="ALL">

      <fileset dir="test">

        <include name="**/*.jar"/>

      </fileset>

    </dependencycheck>

  </target>

</project>

[Steve Springett]

The Java ServiceLoader can be fragile at times. Have you tried:

<taskdef name="dependency-check" classname="org.owasp.dependencycheck.taskdefs.DependencyCheckTask">

    <classpath>

        <pathelement location="path/to/dependency-check-ant-1.2.0.jar"/>

    </classpath>

</taskdef>

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Cam Morris]

for kicks I tried manually setting the analyzers:

<dependencycheck applicationname="test"

                      reportoutputdirectory="${basedir}/reports/"

                      autoupdate="true"

                      archiveAnalyzerEnabled="true"

                      nuspecAnalyzerEnabled="false"

                      jaranalyzerenabled="true"

                      assemblyAnalyzerEnabled="false"

                      reportformat="ALL">

But I'm getting the same results.  

[Steve Springett]

Depending on the environment, you may have to specify the classpath to the jar in a shell script that calls Ant.  I think I ran into this one time.

[Cam Morris]

Setting the classpath from the shell that calls ant made it work.  Not ideal, but it is a workaround.  I was hoping to get gradle to call this so that I would pull down the library as needed.  I'll play around to see if I can set a classpath dynamically.

[Cam Morris]

I fiddled with the classpath parameter to the engine constructor.  Instead of the default classpath derived from the current thread, I passed in a classpath derived from the task.  With that change I'm able to invoke the ant task without setting the classpath outside of ant.  I haven't checked it yet.  I haven't been able to get the ant invocation running in gradle yet.

[Jeremy Long]

I will follow up on this soon; but I think I've come up with a solution to the problem. But I need time to code the patch and ill need help testing it as I haven't been able to replicate the issue.  I should have an updated snapshot by this weekend.

Jeremy

--