Enhancement: maven plugin aggregate goal should produce human readable report

[rlyons]

Right now, only dependency-check.ser is created. I would really like to attach an aggregate report to our build request tickets.

[jeremylong]

There should be an HTML report also. To help me figure out what is going on can you post the configuration your are using for the dependency-check plugin? I may have a few more questions after seeing the configuration.

--Jeremy

[rlyons]

We are calling the plug in directly without configuration and seeing
properties on the command line because the development team controls the
pom file, but we control what commands are called to perform the build
(yes I know they can just make their own life cycle). Just working with
what I have control over. I tried -DreportFormat=ALL and HTML and it still
only made a ser file whereas HTML is the default for "check". There are
some projects with 80 submodules...
On Jan 7, 2015 7:27 PM, "Jeremy Long" notifications@github.com wrote:

There should be an HTML report also. To help me figure out what is going
on can you post the configuration your are using for the dependency-check
plugin? I may have a few more questions after seeing the configuration.

--Jeremy

—
Reply to this email directly or view it on GitHub
#189 (comment)
.

[jeremylong]

Can you provide the exact command line used that caused the .ser to be generated but no HTML report was generated? Also, a very high level description of the folder structure where the projects reside? If you would rather email the information to me directly I can be reached at jeremy.long@owasp.org.

Thanks!

Jeremy

[jeremylong]

This may have been resolved with the patch for issue #193. However, I would still like to verify this. Can you provide the command line that you used that only created the .ser files instead of the HTML reports?

Thanks!

Jeremy

[jeremylong]

I have been unable to reproduce the reported problem. I have executed:

> mvn org.owasp:dependency-check-maven:1.2.8:check

On several projects and in all cases the HTML version of the report is written into the target directory. More information is needed on the command line used and the structure of the project.

[rlyons]

Haha. I was looking to reproduce it by running it against your code, but we blocked one of your dependencies because of the security issues with it... org.apache.struts:struts2-core:jar:2.1.2

[rlyons]

~/Downloads/dcm/DependencyCheck-master 
 $ mvn org.owasp:dependency-check-maven:1.2.8:check org.owasp:dependency-check-maven:1.2.8:aggregate -DreportFormat=ALL -q
Feb 13, 2015 1:58:08 PM org.owasp.dependencycheck.maven.CheckMojo runCheck
INFO: No dependencies were identified that could be analyzed by dependency-check
Feb 13, 2015 1:58:09 PM org.owasp.dependencycheck.Engine analyzeDependencies
INFO: Analysis Starting
Feb 13, 2015 1:58:14 PM org.owasp.dependencycheck.Engine analyzeDependencies
INFO: Analysis Complete
Feb 13, 2015 1:58:18 PM org.owasp.dependencycheck.Engine analyzeDependencies
INFO: Analysis Starting
Feb 13, 2015 1:58:35 PM org.owasp.dependencycheck.Engine analyzeDependencies
INFO: Analysis Complete
Feb 13, 2015 1:58:36 PM org.owasp.dependencycheck.maven.BaseDependencyCheckMojo showSummary
WARNING: 

One or more dependencies were identified with known vulnerabilities:

commons-httpclient-3.1.jar (commons-httpclient:commons-httpclient:3.1, cpe:/a:apache:commons-httpclient:3.1, cpe:/a:apache:httpclient:3.1) : CVE-2014-3577, CVE-2012-6153
mail-1.4.jar (cpe:/a:sun:javamail:1.4, javax.mail:mail:1.4) : CVE-2007-6059
axis2-kernel-1.4.1.jar (cpe:/a:apache:axis2:1.4.1, org.apache.axis2:axis2-kernel:1.4.1) : CVE-2012-5785, CVE-2012-5351, CVE-2012-4418, CVE-2010-2103, CVE-2010-1632, CVE-2010-0219
daytrader-ear-2.1.7.ear: dt-ejb.jar (cpe:/a:apache:geronimo:2.1.7, org.apache.geronimo.daytrader:daytrader-ejb:2.1.7) : CVE-2011-5034, CVE-2008-0732
daytrader-ear-2.1.7.ear: geronimo-jaxrpc_1.1_spec-2.0.0.jar (cpe:/a:apache:geronimo:2.0, org.apache.geronimo.specs:geronimo-jaxrpc_1.1_spec:2.0.0) : CVE-2011-5034, CVE-2008-0732, CVE-2007-5797, CVE-2007-4548
daytrader-ear-2.1.7.ear: streamer.jar (cpe:/a:apache:geronimo:2.1.7, org.apache.geronimo.daytrader:daytrader-streamer:2.1.7) : CVE-2011-5034, CVE-2008-0732
daytrader-ear-2.1.7.ear: wsappclient.jar (cpe:/a:apache:geronimo:2.1.7, org.apache.geronimo.daytrader:daytrader-wsappclient:2.1.7) : CVE-2011-5034, CVE-2008-0732
geronimo-javamail_1.4_spec-1.2.jar (cpe:/a:apache:geronimo:1.2, org.apache.geronimo.specs:geronimo-javamail_1.4_spec:1.2) : CVE-2011-5034, CVE-2008-0732
geronimo-jms_1.1_spec-1.1.1.jar (cpe:/a:apache:geronimo:1.1.1, org.apache.geronimo.specs:geronimo-jms_1.1_spec:1.1.1) : CVE-2011-5034, CVE-2008-0732
geronimo-jpa_2.0_spec-1.1.jar (cpe:/a:apache:geronimo:1.1, org.apache.geronimo.specs:geronimo-jpa_2.0_spec:1.1) : CVE-2011-5034, CVE-2008-0732
geronimo-stax-api_1.0_spec-1.0.1.jar (cpe:/a:apache:geronimo:1.0.1, org.apache.geronimo.specs:geronimo-stax-api_1.0_spec:1.0.1) : CVE-2011-5034, CVE-2008-0732
openjpa-2.0.1.jar (cpe:/a:apache:openjpa:2.0.1, org.apache.openjpa:openjpa:2.0.1) : CVE-2013-1768
struts2-core-2.3.20.jar (cpe:/a:apache:struts:2.3.20, org.apache.struts:struts2-core:2.3.20) : CVE-2008-6504
xwork-core-2.3.20.jar (cpe:/a:apache:struts:2.3.20, org.apache.struts.xwork:xwork-core:2.3.20) : CVE-2008-6504
dojo-war-1.3.0.war (cpe:/a:dojo_toolkit:dojo_toolkit:1.3.0, cpe:/a:dojotoolkit:dojo:1.3, org.dojotoolkit:dojo-war:1.3.0) : CVE-2010-2276, CVE-2010-2275, CVE-2010-2274, CVE-2010-2273, CVE-2007-2376
war-4.0.war: commons-fileupload-1.1.1.jar (commons-fileupload:commons-fileupload:1.1.1, cpe:/a:apache:commons_fileupload:1.1.1) : CVE-2014-0050, CVE-2013-0248
jetty-6.1.0.jar (cpe:/a:jetty:jetty:6.1.0, cpe:/a:mortbay:jetty:6.1.0, cpe:/a:mortbay_jetty:jetty:6.1, org.mortbay.jetty:jetty:6.1.0) : CVE-2011-4461, CVE-2009-4612, CVE-2009-4611, CVE-2009-4610, CVE-2009-4609, CVE-2009-1524, CVE-2009-1523, CVE-2007-5615, CVE-2007-5614, CVE-2007-5613
spring-security-core-3.0.0.RELEASE.jar (cpe:/a:vmware:springsource_spring_security:3.0.0, org.springframework.security:spring-security-core:3.0.0.RELEASE) : CVE-2012-5055, CVE-2011-2894, CVE-2011-2732, CVE-2011-2731, CVE-2010-3700
spring-core-2.5.5.jar (cpe:/a:springsource:spring_framework:2.5.5, cpe:/a:vmware:springsource_spring_framework:2.5.5, org.springframework:spring-core:2.5.5) : CVE-2014-1904, CVE-2014-0054, CVE-2013-7315, CVE-2013-6429, CVE-2013-4152, CVE-2011-2730, CVE-2010-1622
spring-tx-3.0.0.RELEASE.jar (cpe:/a:springsource:spring_framework:3.0.0, cpe:/a:vmware:springsource_spring_framework:3.0.0, org.springframework:spring-tx:3.0.0.RELEASE) : CVE-2014-1904, CVE-2014-0054, CVE-2013-7315, CVE-2013-6429, CVE-2013-4152, CVE-2011-2894, CVE-2011-2730, CVE-2010-1622


See the dependency-check report for more details.


Feb 13, 2015 1:58:37 PM org.owasp.dependencycheck.Engine analyzeDependencies
INFO: Analysis Starting
Feb 13, 2015 1:58:39 PM org.owasp.dependencycheck.analyzer.AssemblyAnalyzer initializeFileTypeAnalyzer
WARNING: An error occurred with the .NET AssemblyAnalyzer; this can be ignored unless you are scanning .NET DLLs. Please see the log for more details.
Feb 13, 2015 1:58:39 PM org.owasp.dependencycheck.Engine initializeAnalyzer
SEVERE: Exception occurred initializing Assembly Analyzer.
Feb 13, 2015 1:58:41 PM org.owasp.dependencycheck.Engine analyzeDependencies
INFO: Analysis Complete
Feb 13, 2015 1:58:43 PM org.owasp.dependencycheck.Engine analyzeDependencies
INFO: Analysis Starting
Feb 13, 2015 1:58:44 PM org.owasp.dependencycheck.analyzer.AssemblyAnalyzer initializeFileTypeAnalyzer
WARNING: An error occurred with the .NET AssemblyAnalyzer; this can be ignored unless you are scanning .NET DLLs. Please see the log for more details.
Feb 13, 2015 1:58:44 PM org.owasp.dependencycheck.Engine initializeAnalyzer
SEVERE: Exception occurred initializing Assembly Analyzer.
Feb 13, 2015 1:58:46 PM org.owasp.dependencycheck.Engine analyzeDependencies
INFO: Analysis Complete
Feb 13, 2015 1:58:49 PM org.owasp.dependencycheck.Engine analyzeDependencies
INFO: Analysis Starting
Feb 13, 2015 1:58:58 PM org.owasp.dependencycheck.analyzer.AssemblyAnalyzer initializeFileTypeAnalyzer
WARNING: An error occurred with the .NET AssemblyAnalyzer; this can be ignored unless you are scanning .NET DLLs. Please see the log for more details.
Feb 13, 2015 1:58:58 PM org.owasp.dependencycheck.Engine initializeAnalyzer
SEVERE: Exception occurred initializing Assembly Analyzer.
Feb 13, 2015 1:59:01 PM org.owasp.dependencycheck.Engine analyzeDependencies
INFO: Analysis Complete
Feb 13, 2015 1:59:02 PM org.owasp.dependencycheck.maven.BaseDependencyCheckMojo showSummary
WARNING: 

One or more dependencies were identified with known vulnerabilities:

httpclient-4.0.2.jar (cpe:/a:apache:httpclient:4.0.2, org.apache.httpcomponents:httpclient:4.0.2) : CVE-2014-3577
struts-core-1.3.8.jar (cpe:/a:apache:struts:1.3.8, org.apache.struts:struts-core:1.3.8) : CVE-2014-0114, CVE-2008-6504
struts-tiles-1.3.8.jar (cpe:/a:apache:struts:1.3.8, cpe:/a:apache:tiles:1.3.8, org.apache.struts:struts-tiles:1.3.8) : CVE-2014-0114, CVE-2008-6504
aether-spi-1.0.0.v20140518.jar (cpe:/a:eclipse:eclipse_ide:1.0.0.v20140518, org.eclipse.aether:aether-spi:1.0.0.v20140518) : CVE-2010-4647, CVE-2008-7271
jetty-6.1.25.jar (cpe:/a:jetty:jetty:6.1.25, cpe:/a:mortbay:jetty:6.1.25, cpe:/a:mortbay_jetty:jetty:6.1.25, org.mortbay.jetty:jetty:6.1.25) : CVE-2011-4461, CVE-2009-1523
servlet-api-2.5-20081211.jar (cpe:/a:mortbay:jetty:2.5.20081211, cpe:/a:mortbay_jetty:jetty:2.5.20081211, org.mortbay.jetty:servlet-api:2.5-20081211) : CVE-2011-4461, CVE-2009-1524, CVE-2009-1523, CVE-2007-5615, CVE-2005-3747
sslext-1.2-0.jar (cpe:/a:apache:struts:1.2.0, sslext:sslext:1.2-0) : CVE-2008-6504, CVE-2006-1548, CVE-2006-1547, CVE-2006-1546


See the dependency-check report for more details.


Feb 13, 2015 1:59:03 PM org.owasp.dependencycheck.maven.CheckMojo runCheck
INFO: No dependencies were identified that could be analyzed by dependency-check
Feb 13, 2015 1:59:04 PM org.owasp.dependencycheck.Engine analyzeDependencies
INFO: Analysis Starting
Feb 13, 2015 1:59:05 PM org.owasp.dependencycheck.Engine analyzeDependencies
INFO: Analysis Complete
Feb 13, 2015 1:59:05 PM org.owasp.dependencycheck.maven.BaseDependencyCheckMojo writeDataFile
WARNING: Unable to create data file used for report aggregation; if report aggregation is being used the results may be incomplete.

~/Downloads/dcm/DependencyCheck-master 
 $ find . -wholename '*/target/*' -name '*.html'
./dependency-check-ant/target/dependency-check-report.html
./dependency-check-cli/target/dependency-check-report.html
./dependency-check-core/target/dependency-check-report.html
./dependency-check-maven/target/dependency-check-report.html
./dependency-check-utils/target/dependency-check-report.html

There isn't an aggregate html file made.

[rlyons]

also if I run mvn clean, and then run the aggregate by itself....

~/Downloads/dcm/DependencyCheck-master 
 $ mvn  org.owasp:dependency-check-maven:1.2.8:aggregate -DreportFormat=ALL -q
Feb 13, 2015 2:05:45 PM org.owasp.dependencycheck.Engine doUpdates
INFO: Checking for updates
Feb 13, 2015 2:06:32 PM org.owasp.dependencycheck.Engine doUpdates
INFO: Check for updates complete
Feb 13, 2015 2:06:32 PM org.owasp.dependencycheck.Engine analyzeDependencies
INFO: Analysis Starting
Feb 13, 2015 2:06:36 PM org.owasp.dependencycheck.Engine analyzeDependencies
INFO: Analysis Complete
Feb 13, 2015 2:06:36 PM org.owasp.dependencycheck.maven.BaseDependencyCheckMojo writeDataFile
WARNING: Unable to create data file used for report aggregation; if report aggregation is being used the results may be incomplete.

~/Downloads/dcm/DependencyCheck-master 
 $ find . -wholename '*/target/*' -name '*.html'

nada.

tried running with -X as well to see what the heck it was talking about with "Unable to create data file used for report aggregation" - but there is no more data. and as long as it is trying to write inside target, it shouldn't be an issue.

[jeremylong]

As I said, this might be resolved in 1.2.9-SNAPSHOT; if you could test with this version the binaries can be downloaded from Cloudbees using the following links:

• dependency-check-utils-1.2.9-SNAPSHOT.jar
• dependency-check-core-1.2.9-SNAPSHOT.jar
• dependency-check-maven-1.2.9-SNAPSHOT.jar

If you are unable to test 1.2.9-SNAPSHOT could you run 1.2.8 and create a dependency-check log file:

$ mvn org.owasp:dependency-check-maven:1.2.8:check org.owasp:dependency-check-maven:1.2.8:aggregate -DreportFormat=ALL -DlogFile=./dependency-check.log -q

The log file will help me figure out where the problem is. Also, what version of Maven and JDK are you using (possibly post a mvn -version)?

Thanks!

--Jeremy

[rlyons]

Thank you! I will try it out

[rlyons]

I just cloned latest HEAD on master.

{code}
mvn org.owasp:dependency-check-maven:1.2.9-SNAPSHOT:check org.owasp:dependency-check-maven:1.2.9-SNAPSHOT:aggregate -DreportFormat=ALL

$ find . -name '*.html'
./dependency-check-ant/target/dependency-check-report.html
./dependency-check-cli/target/dependency-check-report.html
./dependency-check-core/target/dependency-check-report.html
./dependency-check-maven/target/dependency-check-report.html
./dependency-check-utils/target/dependency-check-report.html
./src/site/resources/SampleReport.html

$ find target/
target/
target/failsafe-reports
target/failsafe-reports/failsafe-summary.xml
target/dependency-check.ser

{code}

also tried
{code}
mvn org.owasp:dependency-check-maven:1.2.9-SNAPSHOT:aggregate -Dformat=HTML
{code}

and still got
{code}
$ find target
target
target/failsafe-reports
target/failsafe-reports/failsafe-summary.xml
target/dependency-check.ser
{code}

Is there something I am missing? built hash is 26b48d4

[jeremylong]

Can you confirm whether this issue has been resolved?

Thanks!

Jeremy

[dmettem]

I see a similar issue with version 1.2.9, where I see the reports being generated for all child modules as well as parent module, however the parent modules report is not an aggregated one, but just of its own dependencies.

This is the command I ran:

mvn org.owasp:dependency-check-maven:1.2.9:check org.owasp:dependency-check-maven:1.2.9:aggregate -DlogFile=./dependency-check.log -q

I see the following errors while running the dependency-check-maven:aggregate on parent pom.

[INFO] --- dependency-check-maven:1.2.9:aggregate (default-cli) @ cc ---
Apr 01, 2015 9:45:21 AM org.owasp.dependencycheck.Engine analyzeDependencies
INFO: Analysis Starting
Apr 01, 2015 9:45:24 AM org.owasp.dependencycheck.Engine analyzeDependencies
WARNING: An unexpected error occurred during analysis of '/Users/dm/.m2/repository/org/glassfish/gmbal/gmbal-api-only/3.0.0-b023/gmbal-api-only-3.0.0-b023.jar'
Apr 01, 2015 9:45:24 AM org.owasp.dependencycheck.Engine analyzeDependencies
WARNING: An unexpected error occurred during analysis of '/var/folders/qg/c1kblmbx0db1tfspqjn37_34002lqd/T/check6820673060777098903tmp/289/pom.xml'
Apr 01, 2015 9:45:24 AM org.owasp.dependencycheck.Engine analyzeDependencies
WARNING: An unexpected error occurred during analysis of '/Users/dm/.m2/repository/javax/jws/jsr181-api/1.0-MR1/jsr181-api-1.0-MR1.jar'

Looking at the log file, here's what I see:

WARNING: An unexpected error occurred during analysis of '/Users/dm/.m2/repository/org/glassfish/gmbal/gmbal-api-only/3.0.0-b023/gmbal-api-only-3.0.0-b023.jar'
Apr 01, 2015 9:50:35 AM org.owasp.dependencycheck.Engine analyzeDependencies
FINE:
java.lang.NullPointerException
at org.owasp.dependencycheck.data.cpe.CpeMemoryIndex.search(CpeMemoryIndex.java:290)
at org.owasp.dependencycheck.analyzer.CPEAnalyzer.searchCPE(CPEAnalyzer.java:265)
at org.owasp.dependencycheck.analyzer.CPEAnalyzer.determineCPE(CPEAnalyzer.java:186)
at org.owasp.dependencycheck.analyzer.CPEAnalyzer.analyze(CPEAnalyzer.java:474)
at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:398)
at org.owasp.dependencycheck.maven.Engine.analyzeDependencies(Engine.java:88)
at org.owasp.dependencycheck.maven.AggregateMojo.generateDataFile(AggregateMojo.java:230)
at org.owasp.dependencycheck.maven.AggregateMojo.generateDataFile(AggregateMojo.java:213)
at org.owasp.dependencycheck.maven.AggregateMojo.runCheck(AggregateMojo.java:71)
at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute(BaseDependencyCheckMojo.java:361)
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:101)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:209)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:153)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:145)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:84)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:59)
at org.apache.maven.lifecycle.internal.LifecycleStarter.singleThreadedBuild(LifecycleStarter.java:183)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:161)
at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:320)
at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:156)
at org.apache.maven.cli.MavenCli.execute(MavenCli.java:537)
at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:196)
at org.apache.maven.cli.MavenCli.main(MavenCli.java:141)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:290)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:230)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:409)
at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:352)

$ find . -name dependency-check-report.html
./core/target/dependency-check-report.html
./dependency-check-report.html
./dist/target/dependency-check-report.html
./docs/target/dependency-check-report.html
./dependencies/target/dependency-check-report.html
./plugin-app/target/dependency-check-report.html
./plugin-ac/target/dependency-check-report.html
./plugin-co/target/dependency-check-report.html
./sources/target/dependency-check-report.html
./target/dependency-check-report.html

$ mvn -version
Apache Maven 3.0.4 (r1232337; 2012-01-17 00:44:56-0800)
Maven home: /usr/local/Cellar/maven/3.0.4/libexec
Java version: 1.7.0_71, vendor: Oracle Corporation
Java home: /Library/Java/JavaVirtualMachines/jdk1.7.0_71.jdk/Contents/Home/jre
Default locale: en_US, platform encoding: UTF-8
OS name: "mac os x", version: "10.10.2", arch: "x86_64", family: "mac"

Is there something I'm doing wrong?

[jeremylong]

I have opened issue #213 regarding the NPE as it is unrelated to the bug discussed in this ticket. Until #213 has been resolved you should just be able to execute:

$ mvn org.owasp:dependency-check-maven:1.2.9:aggregate -DlogFile=./dependency-check.log -q

--Jeremy

[dmettem]

I even tried that and found only dependency-check.ser file in target folder, but no HTML report.
I didn't see any errors in dependency-check.log either.

$ mvn org.owasp:dependency-check-maven:1.2.9:aggregate -DlogFile=./dependency-check-with-html-format.log -q
Apr 03, 2015 10:42:04 AM org.owasp.dependencycheck.Engine doUpdates
INFO: Checking for updates
Apr 03, 2015 10:42:09 AM org.owasp.dependencycheck.Engine doUpdates
INFO: Check for updates complete
Apr 03, 2015 10:42:10 AM org.owasp.dependencycheck.Engine analyzeDependencies
INFO: Analysis Starting
Apr 03, 2015 10:42:14 AM org.owasp.dependencycheck.Engine analyzeDependencies
INFO: Analysis Complete

$ find target/
target/
target//dependency-check.ser

This is what I see at the end of log file.

INFO: Analysis Complete
Apr 03, 2015 10:29:03 AM org.owasp.dependencycheck.maven.BaseDependencyCheckMojo writeDataFile
FINE: Serialized data file written to '/Users/dm/cac/target/dependency-check.ser' for cac, referenced by key dependency-check-path-dependency-check.ser

[jeremylong]

I am still unable to reproduce this bug. If anyone experiencing this can show me the configuration (i.e. POM files) and the command line used to execute the failing aggregate report I will hopefully be able to resolve the issue.

[ronbreizh]

Hello I'm new in dependency-check and I have the same problem on aggregate
In target I have got dependency-check.ser but not html report.
I think it's because the default lifecycle phase is site.
Can we change it or not because. I don't use mvn site.

[jeremylong]

My issue is that I have been unable to reproduce this issue. If you can provide me an example project (feel free to email me at jeremy.long@owasp.org) and the exact command you executed I can try to solve this... But so far every test case others have sent works-on-my-system(TM) - which is unfortunate.

[jeremylong]

Also, I did change the default lifecycle to compile. This was committed to 1.2.12-SNAPSHOT and will be included in the next release. Hopefully, this resolves the issue. But I would still appreciate if if you could provide me with an example project as noted above.

Best Regards,

Jeremy

[rlyons]

I wish that I could! The legal team would have me booted out the door in a
nanosecond.

Frustratingly, it works fine on sonatype's example multimodule project,
and it works on yours. I need to scour github to find another that
behaves like ours.

On Mon, Jun 22, 2015, 5:04 AM Jeremy Long notifications@github.com wrote:

Also, I did change the default lifecycle to compile. This was committed to
1.2.12-SNAPSHOT and will be included in the next release. Hopefully, this
resolves the issue. But I would still appreciate if if you could provide me
with an example project as noted above.

Best Regards,

Jeremy

—
Reply to this email directly or view it on GitHub
#189 (comment)
.

[ronbreizh]

hello, just put this in my parent's pom.xml  org.owasp dependency-check-maven 1.2.11  and execute  - mvn clean install and then mvn dependency-check:check : it's ok, report in each project - mvn clean install and then mvn dependency-check:aggregate : it's nok (just dependency-check.ser in target directory)the result : aggregate.jpg regards Ronan
  De : Jeremy Long notifications@github.com
À : jeremylong/DependencyCheck DependencyCheck@noreply.github.com
Cc : ronbreizh ronan.lecarrer@gmail.com
Envoyé le : Vendredi 19 juin 2015 12h04
Objet : Re: [DependencyCheck] Enhancement: maven plugin aggregate goal should produce human readable report (#189)

My issue is that I have been unable to reproduce this issue. If you can provide me an example project (feel free to email me at jeremy.long@owasp.org) and the exact command you executed I can try to solve this... But so far every test case others have sent works-on-my-system(TM) - which is unfortunate.—
Reply to this email directly or view it on GitHub.

[jeremylong]

Good news - I was just able to reproduce this with 1.2.11. Additionally, this appears to be fixed in 1.2.12-SNAPSHOT (where we have changed the default lifecycle of the aggregate goal from site to compile thanks to ronbreizh)!

If anyone experiencing this problem could compile/install 1.2.12-SNAPSHOT and confirm that the issue has been resolved I would really appreciate it.

--Jeremy

[ronbreizh]

Could you put it on central repository or not?
How can i do to point to the 1.2.12-SNAPSHOT version?
regards

[jeremylong]

Would you be able to pull the jar files from the target directories in the
Cloudbees workspace (
https://dependency-check.ci.cloudbees.com/job/dependency-check/ws/)?

--Jeremy

On Wed, Jun 24, 2015 at 8:58 AM, ronbreizh notifications@github.com wrote:

Could you put it on central repository or not?

—
Reply to this email directly or view it on GitHub
#189 (comment)
.

[ronbreizh]

Hello,
I've got this when change 1.2.11 to 1.2.12-SNAPSHOT
Any idea?

[INFO] Scanning for projects...
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Build Order:
[INFO]
[INFO] reportingmandat-parent
[INFO] ObjectView
[INFO] reportingMandatCommon
[INFO] ReportingMandatEJBClient
[INFO] ReportingMandatEJB
[INFO] reportingMandat
[INFO] reportingMandatEAR
[INFO] Reporting Mandat - Deploy IT
[WARNING] Failed to retrieve plugin descriptor for org.owasp:dependency-check-maven:1.2.12-SNAPSHOT: Plugin org.owasp:dependency-check-maven:1.2.12-SNAPSHOT or one of its dependencies could not be resolved: Failed to read artifact descriptor for org.owasp:dependency-check-maven:jar:1.2.12-SNAPSHOT
[WARNING] The POM for org.eclipse.m2e:lifecycle-mapping:jar:1.0.0 is missing, no dependency information available
[WARNING] Failed to retrieve plugin descriptor for org.eclipse.m2e:lifecycle-mapping:1.0.0: Plugin org.eclipse.m2e:lifecycle-mapping:1.0.0 or one of its dependencies could not be resolved: Failure to find org.eclipse.m2e:lifecycle-mapping:jar:1.0.0 in http://vmdevappdev001/nexus/content/groups/public/ was cached in the local repository, resolution will not be reattempted until the update interval of nexus has elapsed or updates are forced
Downloading: http://vmdevappdev001/nexus/content/groups/public/org/apache/maven/plugins/maven-metadata.xml
Downloading: http://repo.maven.apache.org/maven2/org/codehaus/mojo/maven-metadata.xml
Downloading: http://vmdevappdev001/nexus/content/groups/public/org/codehaus/mojo/maven-metadata.xml
Downloading: http://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-metadata.xml
4/13 KB 6/13 KB 10/13 KB 13/13 KB 13/13 KB 2/20 KB 13/13 KB 6/20 KB 13/13 KB 6/20 KB 13/13 KB 9/20 KB 13/13 KB 9/20 KB 13/13 KB 12/20 KB 13/13 KB 16/20 KB 13/13 KB 16/20 KB 13/13 KB 20/20 KB 13/13 KB 20/20 KB Downloaded: http://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-metadata.xml (13 KB at 57.9 KB/sec)
Downloaded: http://repo.maven.apache.org/maven2/org/codehaus/mojo/maven-metadata.xml (20 KB at 79.2 KB/sec)
[WARNING] Could not transfer metadata org.apache.maven.plugins/maven-metadata.xml from/to nexus (http://vmdevappdev001/nexus/content/groups/public/): Failed to transfer file: http://vmdevappdev001/nexus/content/groups/public/org/apache/maven/plugins/maven-metadata.xml. Return code is: 503 , ReasonPhrase:Service Unavailable.
[WARNING] Could not transfer metadata org.codehaus.mojo/maven-metadata.xml from/to nexus (http://vmdevappdev001/nexus/content/groups/public/): Failed to transfer file: http://vmdevappdev001/nexus/content/groups/public/org/codehaus/mojo/maven-metadata.xml. Return code is: 503 , ReasonPhrase:Service Unavailable.
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary:
[INFO]
[INFO] reportingmandat-parent ............................. SKIPPED
[INFO] ObjectView ......................................... SKIPPED
[INFO] reportingMandatCommon .............................. SKIPPED
[INFO] ReportingMandatEJBClient ........................... SKIPPED
[INFO] ReportingMandatEJB ................................. SKIPPED
[INFO] reportingMandat .................................... SKIPPED
[INFO] reportingMandatEAR ................................. SKIPPED
[INFO] Reporting Mandat - Deploy IT ....................... SKIPPED
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 2.371 s
[INFO] Finished at: 2015-06-25T11:31:29+02:00
[INFO] Final Memory: 18M/289M
[INFO] ------------------------------------------------------------------------
[ERROR] No plugin found for prefix 'dependency-check' in the current project and in the plugin groups [org.apache.maven.plugins, org.codehaus.mojo] available from the repositories [local (C:\dev\apache-maven-3.2.2.m2\repository), nexus (http://vmdevappdev001/nexus/content/groups/public/), central (http://repo.maven.apache.org/maven2)] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/NoPluginFoundForPrefixException

[jeremylong]

dependency-check-maven 1.2.12-SNAPSHOT has not been pushed to central. In order to validate that the issue has been fixed we either wait until the full release - or someone that is experiencing this issue can download the JAR files (core, utils, maven) from the cloudbees workspace (https://dependency-check.ci.cloudbees.com/job/dependency-check/ws/). If you can download the jar files from cloudbees you can then install the snapshot version into your local repo by executing:

    mvn install:install-file -Dfile=<path-to-file>

On each of the three jar files.

[ronbreizh]

3 jars ?
I see one but not three.
can you tell me the 3 jars name please.

Thank you

Moreover the dependency-check-maven-1.2.12-SNAPSHOT.jar seems to be install in my local repository.

[INFO] Scanning for projects...
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Build Order:
[INFO]
[INFO] reportingmandat-parent
[INFO] ObjectView
[INFO] reportingMandatCommon
[INFO] ReportingMandatEJBClient
[INFO] ReportingMandatEJB
[INFO] reportingMandat
[INFO] reportingMandatEAR
[INFO] Reporting Mandat - Deploy IT
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building reportingmandat-parent 15.2.0-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- maven-install-plugin:2.5.1:install-file (default-cli) @ reportingmandat-parent ---
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary:
[INFO]
[INFO] reportingmandat-parent ............................. FAILURE [ 0.203 s]
[INFO] ObjectView ......................................... SKIPPED
[INFO] reportingMandatCommon .............................. SKIPPED
[INFO] ReportingMandatEJBClient ........................... SKIPPED
[INFO] ReportingMandatEJB ................................. SKIPPED
[INFO] reportingMandat .................................... SKIPPED
[INFO] reportingMandatEAR ................................. SKIPPED
[INFO] Reporting Mandat - Deploy IT ....................... SKIPPED
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 1.670 s
[INFO] Finished at: 2015-06-29T09:37:07+02:00
[INFO] Final Memory: 10M/162M
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-install-plugin:2.5.1:install-file (default-cli) on project reportingmandat-parent: Cannot install artifact. Artifact is already in the local repository.
[ERROR]
[ERROR] File in question is: C:\dev\apache-maven-3.2.2.m2\repository\org\owasp\dependency-check-maven\1.2.12-SNAPSHOT\dependency-check-maven-1.2.12-SNAPSHOT.jar
[ERROR] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException

[jeremylong]

1. Download the following three files:

   https://dependency-check.ci.cloudbees.com/job/dependency-check/ws/dependency-check-core/target/dependency-check-core-1.2.12-SNAPSHOT.jar

   https://dependency-check.ci.cloudbees.com/job/dependency-check/ws/dependency-check-utils/target/dependency-check-utils-1.2.12-SNAPSHOT.jar

   https://dependency-check.ci.cloudbees.com/job/dependency-check/ws/dependency-check-maven/target/dependency-check-maven-1.2.12-SNAPSHOT.jar

2. Use the following command line to install each of the above three files:

       mvn install:install-file -Dfile=<path-to-file>

[pallavi-t]

Hi, I am also facing same issue
Versions:Maven 3
dependency-check-maven: 1.2.11

1. command used: (maven 3)
   mvn dependency-check:aggregate
   console output:
   WARNING: Unable to create data file used for report aggregation; if report aggregation is being used the results may be incomplete.
   Jul 31, 2015 11:52:31 AM org.owasp.dependencycheck.maven.BaseDependencyCheckMojo writeDataFile
   FINE: C:\demo\printer\trunk\target\dependency-check.ser (The system cannot find the path specified)
   java.io.FileNotFoundException: C:\demo\printer\trunk\target\dependency-check.ser (The system cannot find the path specified)
   Also error
2. For trail if both goals are used like
   mvn dependency-check:check dependency-check:aggregate -DlogFile=./dependency-check.log
   then no warning is seen related to aggregate. But below stuff is seen

console output:
INFO: Analysis Starting
Jul 31, 2015 5:05:24 PM org.owasp.dependencycheck.Engine analyzeDependencies
WARNING: An unexpected error occurred during analysis of 'C:\XXX\XXXX\XXX.m2\repository\commons-io\commons-
io\1.3\commons-io-1.3.jar'
Jul 31, 2015 5:05:25 PM org.owasp.dependencycheck.Engine analyzeDependencies
INFO: Analysis Complete

And dependency-check.log contains
WARNING: An unexpected error occurred during analysis of 'C:\XXX\XXXX\XXX.m2\repository\commons-io\commons-io\1.3\commons-io-1.3.jar'
Jul 31, 2015 5:05:24 PM org.owasp.dependencycheck.Engine analyzeDependencies
FINE:
java.lang.NullPointerException
at org.owasp.dependencycheck.data.cpe.CpeMemoryIndex.search(CpeMemoryIndex.java:290)

[jeremylong]

We are about to release a new version that we believe will fix this issue. However, I am unable to replicate the problem on my end. If possible, could you try the 1.2.12-SNAPSHOT (links to JARs and instruction are in the reply above.

--Jeremy

[davidkarlsen]

Try to not have the target dir there (e.g. Run mvn clean 1st). That was the
problem for me

1. aug. 2015 11:49 skrev "Jeremy Long" notifications@github.com:

We are about to release a new version that we believe will fix this issue.
However, I am unable to replicate the problem on my end. If possible, could
you try the 1.2.12-SNAPSHOT (links to JARs and instruction are in the reply
above.

--Jeremy

—
Reply to this email directly or view it on GitHub
#189 (comment)
.

[jeremylong]

Can anyone that was having this issue please test using 1.3.0? I believe this has been fixed.

[pallavi-t]

Tested with 1.3.0, does not generate aggregate file.
now at least warning is not shown "WARNING: Unable to create data file used for report aggregation; if report aggregation is being used the results may be... " and target created with dependency-check.ser

[jeremylong]

Thanks for verifying this. This bug is very frustrating as I cannot replicate the problem on my side. I've had several people send me example projects and it works on my system...

--Jeremy

[jeremylong]

With the last two commits I believe this issue is resolved. However, issue #325 is still present. While mvn site site:stage will produce the correct report in the site directory; the staging directory will contain a blank report.

[jeremylong]

This issue is being closed as it is believed to have been resolved. If anyone in the future runs into this issue - please open a new issue.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.