Maven plugin issue when POM path contains symlink

334 views
Skip to first unread message

Piyush Mittal

unread,
May 2, 2017, 10:44:08 AM5/2/17
to Dependency Check
I am using ODC Maven plugin 1.4.5 from Jenkins job. Note that I am not using ODC Jenkins plugin, I am using Maven plugin using Excute shell feature of Jenkins.

mvn -B -f <path to pom> -gs <path to maven global settings file> org.owasp:dependency-check-maven:1.4.5:aggregate -Dformat=ALL -DcveValidForHours=24 -DassemblyAnalyzerEnabled=false -DarchiveAnalyzerEnabled=false

Above command fails if I use POM path with symlink and works if I use path without symlink. 

I tried removing local .m2 cache, another host without any success.  

I ran tool into debug mode & following diff observed for actual path vs symlink path (right side)


After above error, In case of symlink path, not all sub-modules were detected and JAR Analyzer was skipped which leads to blank reports.
 

Jeremy Long

unread,
May 3, 2017, 6:39:18 AM5/3/17
to Piyush Mittal, Dependency Check
The "Dependency collection stats" that you showed in the log is not from OWASP dependency-check; rather I believe that is from the dependency plugin (i.e. core maven).  What is the error message? Any chance you can run the symbolic link version with `-X` and provide just the part of the log from dependency-check?

--Jeremy

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-check+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Piyush Mittal

unread,
May 17, 2017, 4:50:07 AM5/17/17
to Dependency Check, piyus...@gmail.com
Apologies for the late reply. I have redacted sensitive data and attached -X output. Basically, in configuration JAR scanner is enabled but when it reaches for actual scanning JAR scanner is skipped and hence, no vulnerability was discovered in the scan.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
jar_scanner_issue.txt
Reply all
Reply to author
Forward
0 new messages