-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dependecy check could not analyze pom.xml for java #1270
Comments
The DependencyCheck Maven plugin analyzes poms. https://jeremylong.github.io/DependencyCheck/dependency-check-maven/ |
Thank You Steve.
I think its quite hard to understand the example. Do you have any full
documentation to explain it could be great like build process , maven
through directory scanning example, any options in cli to provide only
pom.xml to scan ?
…On Thu, May 10, 2018 at 10:31 AM, Steve Springett ***@***.***> wrote:
The DependencyCheck Maven plugin analyzes poms.
https://jeremylong.github.io/DependencyCheck/dependency-check-maven/
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#1270 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AL-TzqIruULd7V1-LqpoEwv7loDCj4Lbks5tw8mXgaJpZM4T5Wtq>
.
|
The CLI doesn’t understand poms which is why we recommend using the maven plugin for maven builds. In its simplest form, the plugin can be executed from the command line similar to other maven plugins.
If you want to customize the execution or automate it as part of the build, the examples and the configuration link provides all necessary info. |
I am also confused by this. when run org.owasp:dependency-check-maven working perfect,but why can not run cli in pom.xml's current directory? |
The CLI doesn't have dependencies on Maven core, so it doesn't know how to resolve Maven dependencies. This keeps the CLI lightweight and puts an emphasis on using best-practices. We've always recommended that if a Dependency-Check plugin exists for a given build system (Maven, Gradle, SBT, etc), then users are highly encouraged to use the plugin over the CLI. The results will be much more accurate. |
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
For java related projects, when build is successfully done and jar are created in target directory those are only analyzed by dependecy-check not the pom.xml separatly where all other dependecy are mentioned.
Need to provide feature like to analyze pom.xml.
Thank You in advance
The text was updated successfully, but these errors were encountered: