Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

reporting maven configuration #144

Closed
herau opened this issue Aug 7, 2014 · 16 comments
Closed

reporting maven configuration #144

herau opened this issue Aug 7, 2014 · 16 comments
Labels
bug

Comments

@herau
Copy link

herau commented Aug 7, 2014

Is it possible to configure the dependencyCheck plugin in the reporting section of maven ?

i tried this solution but i have a blank page instead of the report.

<reporting>
        <plugins>
            <!--selects reports for the documentation site-->
            <plugin>
                <artifactId>maven-project-info-reports-plugin</artifactId>
                <version>2.7</version>
                <reportSets>
                    <reportSet>
                        <reports>
                            <report>index</report>
                            <report>modules</report>
                            <report>summary</report>
                            <report>issue-tracking</report>
                            <report>cim</report>
                            <report>dependencies</report>
                            <report>dependency-management</report>
                            <report>dependency-convergence</report>
                            <report>plugins</report>
                            <report>plugin-management</report>
                            <report>distribution-management</report>
                            <report>project-team</report>
                        </reports>
                    </reportSet>
                </reportSets>
            </plugin>
            <plugin>
                <groupId>org.owasp</groupId>
                <artifactId>dependency-check-maven</artifactId>
                <version>1.2.4</version>
                <configuration>
                    <logFile>${project.build.directory}/dependency-check.log</logFile>
                    <skipProvidedScope>true</skipProvidedScope>
                    <skipRuntimeScope>true</skipRuntimeScope>
                    <externalReport>false</externalReport>
                </configuration>
            </plugin>
@herau
Copy link
Author

herau commented Aug 7, 2014

i also try the configuration of the Example 3 with the same result

@jeremylong
Copy link
Owner

What version of Maven are you using?

--Jeremy

On Thu, Aug 7, 2014 at 10:21 AM, Aurélien Leboulanger <
notifications@github.com> wrote:

i also try the configuration of the Example 3
http://jeremylong.github.io/DependencyCheck/dependency-check-maven/usage.html
with the same result


Reply to this email directly or view it on GitHub
#144 (comment)
.

@jeremylong
Copy link
Owner

But what version of mavens are you using? 2.x or 3.x?

Jeremy
On Aug 7, 2014 8:20 AM, "Aurélien Leboulanger" notifications@github.com
wrote:

i just tried the 1.2.4 version but i have the same result


Reply to this email directly or view it on GitHub
#144 (comment)
.

@herau
Copy link
Author

herau commented Aug 7, 2014

maven 3.2.2

@jeremylong
Copy link
Owner

Two things to try:

  1. Could you re-run the dependency-check-maven-plugin with the logFile
    configured (and could you send me the log file)?
org.apache.maven.plugins maven-site-plugin org.owasp dependency-check-maven 1.2.4 dependency-check.log
  1. Could you check the "~.m2\repository\org\owasp\dependency-check-data".
    Are there two files in this directory (cve.2.9.h2.db, cve.2.9.trace.db)?
    And if the h2.db file is there is it around 200mb?

Regards,

Jeremy

On Thu, Aug 7, 2014 at 11:40 AM, Aurélien Leboulanger <
notifications@github.com> wrote:

maven 3.2.2


Reply to this email directly or view it on GitHub
#144 (comment)
.

@herau
Copy link
Author

herau commented Aug 11, 2014

logFile of my parent maven module : https://gist.github.com/herau/52d95848b2db2d1f512e.

.db files are in the right directory :

1420185 Aug 11 01:23 /tmp/maven-repository/org/owasp/dependency-check-data/cve.2.9.trace.db
243474432 Aug 11 01:23 /tmp/maven-repository/org/owasp/dependency-check-data/cve.2.9.h2.db

@jeremylong
Copy link
Owner

The dependency-check-maven plugin does not currently perform aggregation on
the child projects. This should be solved in the next release.

--Jeremy

On Mon, Aug 11, 2014 at 5:45 AM, Aurélien Leboulanger <
notifications@github.com> wrote:

logFile of my parent maven module :
https://gist.github.com/herau/52d95848b2db2d1f512e.

.db files are in the right directory :

1420185 Aug 11 01:23
/tmp/maven-repository/org/owasp/dependency-check-data/cve.2.9.trace.db
243474432 Aug 11 01:23
/tmp/maven-repository/org/owasp/dependency-check-data/cve.2.9.h2.db


Reply to this email directly or view it on GitHub
#144 (comment)
.

@herau
Copy link
Author

herau commented Aug 13, 2014

OK but it doesn't explain The blank page on The generated maven site right ?

jeremylong added a commit that referenced this issue Sep 1, 2014
@jeremylong
updated documentation as part of resolution for issue #144
5511b9f
@jeremylong
Copy link
Owner

While developing the report aggregation feature I did run into the blank page problem. This was fixed as part of the report aggregation patch.

Additionally, the documentation will be updated to show the use of the reporting section.

@herau
Copy link
Author

herau commented Sep 2, 2014

👍 Thanks, i will try it.

@herau
Copy link
Author

herau commented Sep 15, 2014

there are no reference about this kind of configuration in the current documentation page .

@jeremylong
Copy link
Owner

The functionality is in the current snapshot build (i.e. not available in
Central, but could be downloaded from the Cloudbees CI
https://dependency-check.ci.cloudbees.com/) and the documentation is
available in the source code on github here
https://github.com/jeremylong/DependencyCheck/blob/master/dependency-check-maven/src/site/markdown/usage.md.vm.
However, I am completing the release testing and hope to release a new
version within a day or two.

Best Regards,

Jeremy Long

On Mon, Sep 15, 2014 at 7:54 AM, Aurélien Leboulanger <
notifications@github.com> wrote:

there are no reference about this kind of configuration in the current documentation
page
http://jeremylong.github.io/DependencyCheck/dependency-check-maven/usage.html
.


Reply to this email directly or view it on GitHub
#144 (comment)
.

@herau
Copy link
Author

herau commented Sep 30, 2014

Hello,
i updated the plugin version to 1.2.5 and i updated the plugin configuration :

<reporting>
   <plugins>
     <plugin>
                <groupId>org.owasp</groupId>
                <artifactId>dependency-check-maven</artifactId>
                <configuration>
                    <logFile>${project.build.directory}/dependency-check.log</logFile>
                    <skipProvidedScope>true</skipProvidedScope>
                    <skipRuntimeScope>true</skipRuntimeScope>
                    <!--<externalReport>false</externalReport>-->
                    <aggregate>true</aggregate>
                </configuration>
                <reportSets>
                    <reportSet>
                        <reports>
                            <report>check</report>
                        </reports>
                    </reportSet>
                </reportSets>
            </plugin>
   </plugins>
</reporting>

But i sill have an empty page after the maven site generation (just have the generation date :-))

my log file :

Sep 30, 2014 1:23:23 AM org.owasp.dependencycheck.utils.Settings logProperties
FINE: Properties loaded:

analyzer.nexus.enabled='true'
autoupdate='true'
analyzer.assembly.enabled='true'
analyzer.nexus.proxy='true'
cve.url-1.2.base='http://nvd.nist.gov/download/nvdcve-%d.xml'
cve.url-1.2.modified='http://nvd.nist.gov/download/nvdcve-modified.xml'
data.driver_name='org.h2.Driver'
data.file_name='cve.%s.h2.db'
application.name='Dependency-Check Core'
data.directory='[JAR]/data'
max.download.threads='3'
cve.url-2.0.base='http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml'
analyzer.nuspec.enabled='true'
cve.url-2.0.modified='http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml'
cve.startyear='2002'
cve.url.modified.validfordays='7'
analyzer.jar.enabled='true'
data.version='2.9'
data.user='dcuser'
analyzer.nexus.url='https://repository.sonatype.org/service/local/'
application.version='1.2.4'
analyzer.archive.enabled='true'
data.driver_path=''
data.connection_string='jdbc:h2:file:%s;FILE_LOCK=SERIALIZED;AUTOCOMMIT=ON;'
data.password='*****'

Sep 30, 2014 1:23:23 AM org.owasp.dependencycheck.utils.Settings logProperties
FINE: Properties updated via merge:

analyzer.nexus.enabled='true'
autoupdate='true'
analyzer.assembly.enabled='true'
analyzer.nexus.proxy='true'
cve.url-1.2.base='http://nvd.nist.gov/download/nvdcve-%d.xml'
cve.url-1.2.modified='http://nvd.nist.gov/download/nvdcve-modified.xml'
data.driver_name='org.h2.Driver'
data.file_name='cve.%s.h2.db'
application.name='Dependency-Check Core'
data.directory='[JAR]/../../dependency-check-data'
max.download.threads='3'
cve.url-2.0.base='http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml'
analyzer.nuspec.enabled='true'
cve.url-2.0.modified='http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml'
cve.startyear='2002'
cve.url.modified.validfordays='7'
analyzer.jar.enabled='true'
data.version='2.9'
data.user='dcuser'
analyzer.nexus.url='https://repository.sonatype.org/service/local/'
application.version='1.2.4'
analyzer.archive.enabled='true'
data.driver_path=''
data.connection_string='jdbc:h2:file:%s;FILE_LOCK=SERIALIZED;AUTOCOMMIT=ON;'
data.password='*****'

Sep 30, 2014 1:23:23 AM org.owasp.dependencycheck.utils.Settings setBoolean
FINE: Setting: autoupdate='true'
Sep 30, 2014 1:23:23 AM org.owasp.dependencycheck.utils.Settings setBoolean
FINE: Setting: analyzer.jar.enabled='true'
Sep 30, 2014 1:23:23 AM org.owasp.dependencycheck.utils.Settings setBoolean
FINE: Setting: analyzer.nuspec.enabled='true'
Sep 30, 2014 1:23:23 AM org.owasp.dependencycheck.utils.Settings setBoolean
FINE: Setting: analyzer.nexus.enabled='true'
Sep 30, 2014 1:23:23 AM org.owasp.dependencycheck.utils.Settings setBoolean
FINE: Setting: analyzer.nexus.proxy='true'
Sep 30, 2014 1:23:23 AM org.owasp.dependencycheck.utils.Settings setBoolean
FINE: Setting: analyzer.archive.enabled='true'
Sep 30, 2014 1:23:23 AM org.owasp.dependencycheck.utils.Settings setBoolean
FINE: Setting: analyzer.assembly.enabled='true'
Sep 30, 2014 1:23:23 AM org.owasp.dependencycheck.utils.Settings setBoolean
FINE: Setting: skip.test.scope='true'
Sep 30, 2014 1:23:23 AM org.owasp.dependencycheck.utils.Settings setBoolean
FINE: Setting: skip.runtime.scope='true'
Sep 30, 2014 1:23:23 AM org.owasp.dependencycheck.utils.Settings setBoolean
FINE: Setting: skip.provided.scope='true'
Sep 30, 2014 1:23:23 AM org.owasp.dependencycheck.data.nvdcve.ConnectionFactory initialize
FINE: Loading driver: org.h2.Driver
Sep 30, 2014 1:23:23 AM org.owasp.dependencycheck.utils.Settings getDataFile
FINE: Settings.getDataFile() - file: '[JAR]/../../dependency-check-data'
Sep 30, 2014 1:23:23 AM org.owasp.dependencycheck.utils.Settings getDataFile
FINE: Settings.getDataFile() - transforming filename
Sep 30, 2014 1:23:23 AM org.owasp.dependencycheck.utils.Settings getDataFile
FINE: Settings.getDataFile() - jar file: '/tmp/maven-repository/org/owasp/dependency-check-utils/1.2.4'
Sep 30, 2014 1:23:23 AM org.owasp.dependencycheck.utils.Settings getDataFile
FINE: Settings.getDataFile() - returning: '/tmp/maven-repository/org/owasp/dependency-check-utils/1.2.4/../../dependency-check-data'
Sep 30, 2014 1:23:23 AM org.owasp.dependencycheck.utils.Settings getConnectionString
FINE: Connection String: 'jdbc:h2:file:/tmp/maven-repository/org/owasp/dependency-check-data/cve.2.9;FILE_LOCK=SERIALIZED;AUTOCOMMIT=ON;'
Sep 30, 2014 1:23:23 AM org.owasp.dependencycheck.utils.Settings getDataFile
FINE: Settings.getDataFile() - file: '[JAR]/../../dependency-check-data'
Sep 30, 2014 1:23:23 AM org.owasp.dependencycheck.utils.Settings getDataFile
FINE: Settings.getDataFile() - transforming filename
Sep 30, 2014 1:23:23 AM org.owasp.dependencycheck.utils.Settings getDataFile
FINE: Settings.getDataFile() - jar file: '/tmp/maven-repository/org/owasp/dependency-check-utils/1.2.4'
Sep 30, 2014 1:23:23 AM org.owasp.dependencycheck.utils.Settings getDataFile
FINE: Settings.getDataFile() - returning: '/tmp/maven-repository/org/owasp/dependency-check-utils/1.2.4/../../dependency-check-data'
Sep 30, 2014 1:23:23 AM org.owasp.dependencycheck.data.nvdcve.ConnectionFactory initialize
FINE: Need to create DB Structure: false
Sep 30, 2014 1:23:23 AM org.owasp.dependencycheck.data.nvdcve.ConnectionFactory initialize
FINE: Loading database connection
Sep 30, 2014 1:23:23 AM org.owasp.dependencycheck.data.nvdcve.ConnectionFactory initialize
FINE: Connection String: jdbc:h2:file:/tmp/maven-repository/org/owasp/dependency-check-data/cve.2.9;FILE_LOCK=SERIALIZED;AUTOCOMMIT=ON;
Sep 30, 2014 1:23:23 AM org.owasp.dependencycheck.data.nvdcve.ConnectionFactory initialize
FINE: Database User: dcuser
Sep 30, 2014 1:23:27 AM org.owasp.dependencycheck.data.update.task.DownloadTask call
INFO: Download Started for NVD CVE - Modified
Sep 30, 2014 1:23:34 AM org.owasp.dependencycheck.data.update.task.DownloadTask call
INFO: Download Complete for NVD CVE - Modified
Sep 30, 2014 1:23:34 AM org.owasp.dependencycheck.data.update.task.ProcessTask processFiles
INFO: Processing Started for NVD CVE - Modified
Sep 30, 2014 1:23:44 AM org.owasp.dependencycheck.data.update.task.ProcessTask processFiles
INFO: Processing Complete for NVD CVE - Modified
Sep 30, 2014 1:23:44 AM org.owasp.dependencycheck.data.update.StandardUpdate update
INFO: Begin database maintenance.
Sep 30, 2014 1:24:06 AM org.owasp.dependencycheck.data.update.StandardUpdate update
INFO: End database maintenance.
Sep 30, 2014 1:24:08 AM org.owasp.dependencycheck.data.nvdcve.CveDB finalize
FINE: Entering finalize
Sep 30, 2014 1:24:20 AM org.owasp.dependencycheck.Engine analyzeDependencies
FINE: 
----------------------------------------------------
BEGIN ANALYSIS
----------------------------------------------------
Sep 30, 2014 1:24:20 AM org.owasp.dependencycheck.Engine analyzeDependencies
INFO: Analysis Starting
Sep 30, 2014 1:24:20 AM org.owasp.dependencycheck.Engine initializeAnalyzer
FINE: Initializing Archive Analyzer
Sep 30, 2014 1:24:20 AM org.owasp.dependencycheck.Engine analyzeDependencies
FINE: Begin Analyzer 'Archive Analyzer'
Sep 30, 2014 1:24:20 AM org.owasp.dependencycheck.Engine initializeAnalyzer
FINE: Initializing File Name Analyzer
Sep 30, 2014 1:24:20 AM org.owasp.dependencycheck.Engine analyzeDependencies
FINE: Begin Analyzer 'File Name Analyzer'
Sep 30, 2014 1:24:20 AM org.owasp.dependencycheck.Engine initializeAnalyzer
FINE: Initializing Jar Analyzer
Sep 30, 2014 1:24:20 AM org.owasp.dependencycheck.Engine analyzeDependencies
FINE: Begin Analyzer 'Jar Analyzer'
Sep 30, 2014 1:24:20 AM org.owasp.dependencycheck.Engine initializeAnalyzer
FINE: Initializing Nexus Analyzer
Sep 30, 2014 1:24:20 AM org.owasp.dependencycheck.Engine analyzeDependencies
FINE: Begin Analyzer 'Nexus Analyzer'
Sep 30, 2014 1:24:20 AM org.owasp.dependencycheck.Engine initializeAnalyzer
FINE: Initializing Nuspec Analyzer
Sep 30, 2014 1:24:20 AM org.owasp.dependencycheck.Engine analyzeDependencies
FINE: Begin Analyzer 'Nuspec Analyzer'
Sep 30, 2014 1:24:20 AM org.owasp.dependencycheck.Engine initializeAnalyzer
FINE: Initializing Assembly Analyzer
Sep 30, 2014 1:24:20 AM org.owasp.dependencycheck.Engine analyzeDependencies
FINE: Begin Analyzer 'Assembly Analyzer'
Sep 30, 2014 1:24:20 AM org.owasp.dependencycheck.Engine initializeAnalyzer
FINE: Initializing Hint Analyzer
Sep 30, 2014 1:24:20 AM org.owasp.dependencycheck.Engine analyzeDependencies
FINE: Begin Analyzer 'Hint Analyzer'
Sep 30, 2014 1:24:20 AM org.owasp.dependencycheck.Engine initializeAnalyzer
FINE: Initializing CPE Analyzer
Sep 30, 2014 1:24:20 AM org.owasp.dependencycheck.analyzer.CPEAnalyzer open
FINE: Opening the CVE Database
Sep 30, 2014 1:24:21 AM org.owasp.dependencycheck.analyzer.CPEAnalyzer open
FINE: Creating the Lucene CPE Index
Sep 30, 2014 1:24:21 AM org.owasp.dependencycheck.Engine analyzeDependencies
FINE: Begin Analyzer 'CPE Analyzer'
Sep 30, 2014 1:24:21 AM org.owasp.dependencycheck.Engine initializeAnalyzer
FINE: Initializing False Positive Analyzer
Sep 30, 2014 1:24:21 AM org.owasp.dependencycheck.Engine analyzeDependencies
FINE: Begin Analyzer 'False Positive Analyzer'
Sep 30, 2014 1:24:21 AM org.owasp.dependencycheck.Engine initializeAnalyzer
FINE: Initializing Cpe Suppression Analyzer
Sep 30, 2014 1:24:22 AM org.owasp.dependencycheck.Engine analyzeDependencies
FINE: Begin Analyzer 'Cpe Suppression Analyzer'
Sep 30, 2014 1:24:22 AM org.owasp.dependencycheck.Engine initializeAnalyzer
FINE: Initializing Dependency Bundling Analyzer
Sep 30, 2014 1:24:22 AM org.owasp.dependencycheck.Engine analyzeDependencies
FINE: Begin Analyzer 'Dependency Bundling Analyzer'
Sep 30, 2014 1:24:22 AM org.owasp.dependencycheck.Engine initializeAnalyzer
FINE: Initializing NVD CVE Analyzer
Sep 30, 2014 1:24:23 AM org.owasp.dependencycheck.Engine analyzeDependencies
FINE: Begin Analyzer 'NVD CVE Analyzer'
Sep 30, 2014 1:24:23 AM org.owasp.dependencycheck.Engine initializeAnalyzer
FINE: Initializing Vulnerability Suppression Analyzer
Sep 30, 2014 1:24:23 AM org.owasp.dependencycheck.Engine analyzeDependencies
FINE: Begin Analyzer 'Vulnerability Suppression Analyzer'
Sep 30, 2014 1:24:23 AM org.owasp.dependencycheck.Engine closeAnalyzer
FINE: Closing Analyzer 'Archive Analyzer'
Sep 30, 2014 1:24:23 AM org.owasp.dependencycheck.Engine closeAnalyzer
FINE: Closing Analyzer 'File Name Analyzer'
Sep 30, 2014 1:24:23 AM org.owasp.dependencycheck.Engine closeAnalyzer
FINE: Closing Analyzer 'Jar Analyzer'
Sep 30, 2014 1:24:23 AM org.owasp.dependencycheck.Engine closeAnalyzer
FINE: Closing Analyzer 'Nexus Analyzer'
Sep 30, 2014 1:24:23 AM org.owasp.dependencycheck.Engine closeAnalyzer
FINE: Closing Analyzer 'Nuspec Analyzer'
Sep 30, 2014 1:24:23 AM org.owasp.dependencycheck.Engine closeAnalyzer
FINE: Closing Analyzer 'Assembly Analyzer'
Sep 30, 2014 1:24:23 AM org.owasp.dependencycheck.Engine closeAnalyzer
FINE: Closing Analyzer 'Hint Analyzer'
Sep 30, 2014 1:24:23 AM org.owasp.dependencycheck.Engine closeAnalyzer
FINE: Closing Analyzer 'CPE Analyzer'
Sep 30, 2014 1:24:24 AM org.owasp.dependencycheck.Engine closeAnalyzer
FINE: Closing Analyzer 'False Positive Analyzer'
Sep 30, 2014 1:24:24 AM org.owasp.dependencycheck.Engine closeAnalyzer
FINE: Closing Analyzer 'Cpe Suppression Analyzer'
Sep 30, 2014 1:24:24 AM org.owasp.dependencycheck.Engine closeAnalyzer
FINE: Closing Analyzer 'Dependency Bundling Analyzer'
Sep 30, 2014 1:24:24 AM org.owasp.dependencycheck.Engine closeAnalyzer
FINE: Closing Analyzer 'NVD CVE Analyzer'
Sep 30, 2014 1:24:24 AM org.owasp.dependencycheck.Engine closeAnalyzer
FINE: Closing Analyzer 'Vulnerability Suppression Analyzer'
Sep 30, 2014 1:24:24 AM org.owasp.dependencycheck.Engine analyzeDependencies
FINE: 
----------------------------------------------------
END ANALYSIS
----------------------------------------------------
Sep 30, 2014 1:24:24 AM org.owasp.dependencycheck.Engine analyzeDependencies
INFO: Analysis Complete
Sep 30, 2014 1:25:22 AM org.owasp.dependencycheck.data.nvdcve.CveDB finalize
FINE: Entering finalize
Sep 30, 2014 1:25:22 AM org.owasp.dependencycheck.data.nvdcve.CveDB finalize
FINE: Entering finalize
Sep 30, 2014 1:25:22 AM org.owasp.dependencycheck.data.nvdcve.CveDB finalize
FINE: Entering finalize

@jeremylong
Copy link
Owner

Hello,

Sorry that this issue/thread fell off my radar - I should have re-opened the issue when you posted the problem above. Version 1.2.8 will be released within the next few days. The maven plugin has been completely reworked and one of the problems identified was an incorrect annotation on the mojo:

    requiresDependencyResolution = ResolutionScope.COMPILE_PLUS_RUNTIME,

I'll re-open this issue for now. When 1.2.8 is released please let me know if you are still experiencing an issue.

@jeremylong jeremylong reopened this Dec 27, 2014
@jeremylong jeremylong added the bug label Dec 27, 2014
@jeremylong
Copy link
Owner

Due to lack of response on this issue, the changes made to resolve related issues regarding the Maven aggregate reports, and the two issues currently open (#189 and #193) we are considering this issue closed.

@lock
Copy link

lock bot commented Sep 28, 2018

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked and limited conversation to collaborators Sep 28, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jeremylong @herau