New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enhancement: maven plugin aggregate goal should produce human readable report #189
Comments
There should be an HTML report also. To help me figure out what is going on can you post the configuration your are using for the dependency-check plugin? I may have a few more questions after seeing the configuration. --Jeremy |
We are calling the plug in directly without configuration and seeing
|
Can you provide the exact command line used that caused the .ser to be generated but no HTML report was generated? Also, a very high level description of the folder structure where the projects reside? If you would rather email the information to me directly I can be reached at jeremy.long@owasp.org. Thanks! Jeremy |
This may have been resolved with the patch for issue #193. However, I would still like to verify this. Can you provide the command line that you used that only created the .ser files instead of the HTML reports? Thanks! Jeremy |
I have been unable to reproduce the reported problem. I have executed: > mvn org.owasp:dependency-check-maven:1.2.8:check On several projects and in all cases the HTML version of the report is written into the target directory. More information is needed on the command line used and the structure of the project. |
Haha. I was looking to reproduce it by running it against your code, but we blocked one of your dependencies because of the security issues with it... org.apache.struts:struts2-core:jar:2.1.2 |
There isn't an aggregate html file made. |
also if I run mvn clean, and then run the aggregate by itself....
nada. tried running with -X as well to see what the heck it was talking about with "Unable to create data file used for report aggregation" - but there is no more data. and as long as it is trying to write inside target, it shouldn't be an issue. |
As I said, this might be resolved in 1.2.9-SNAPSHOT; if you could test with this version the binaries can be downloaded from Cloudbees using the following links:
If you are unable to test 1.2.9-SNAPSHOT could you run 1.2.8 and create a dependency-check log file: $ mvn org.owasp:dependency-check-maven:1.2.8:check org.owasp:dependency-check-maven:1.2.8:aggregate -DreportFormat=ALL -DlogFile=./dependency-check.log -q The log file will help me figure out where the problem is. Also, what version of Maven and JDK are you using (possibly post a Thanks! --Jeremy |
Thank you! I will try it out |
I just cloned latest HEAD on master. {code} $ find . -name '*.html' $ find target/ {code} also tried and still got Is there something I am missing? built hash is 26b48d4 |
Can you confirm whether this issue has been resolved? Thanks! Jeremy |
I see a similar issue with version 1.2.9, where I see the reports being generated for all child modules as well as parent module, however the parent modules report is not an aggregated one, but just of its own dependencies. This is the command I ran: mvn org.owasp:dependency-check-maven:1.2.9:check org.owasp:dependency-check-maven:1.2.9:aggregate -DlogFile=./dependency-check.log -q I see the following errors while running the dependency-check-maven:aggregate on parent pom. [INFO] --- dependency-check-maven:1.2.9:aggregate (default-cli) @ cc --- Looking at the log file, here's what I see: WARNING: An unexpected error occurred during analysis of '/Users/dm/.m2/repository/org/glassfish/gmbal/gmbal-api-only/3.0.0-b023/gmbal-api-only-3.0.0-b023.jar' $ find . -name dependency-check-report.html $ mvn -version Is there something I'm doing wrong? |
I even tried that and found only dependency-check.ser file in target folder, but no HTML report. $ mvn org.owasp:dependency-check-maven:1.2.9:aggregate -DlogFile=./dependency-check-with-html-format.log -q $ find target/ This is what I see at the end of log file. INFO: Analysis Complete |
I am still unable to reproduce this bug. If anyone experiencing this can show me the configuration (i.e. POM files) and the command line used to execute the failing aggregate report I will hopefully be able to resolve the issue. |
Hello I'm new in dependency-check and I have the same problem on aggregate |
My issue is that I have been unable to reproduce this issue. If you can provide me an example project (feel free to email me at jeremy.long@owasp.org) and the exact command you executed I can try to solve this... But so far every test case others have sent works-on-my-system(TM) - which is unfortunate. |
Also, I did change the default lifecycle to compile. This was committed to 1.2.12-SNAPSHOT and will be included in the next release. Hopefully, this resolves the issue. But I would still appreciate if if you could provide me with an example project as noted above. Best Regards, Jeremy |
I wish that I could! The legal team would have me booted out the door in a Frustratingly, it works fine on sonatype's example multimodule project, On Mon, Jun 22, 2015, 5:04 AM Jeremy Long notifications@github.com wrote:
|
hello, just put this in my parent's pom.xml org.owasp dependency-check-maven 1.2.11 and execute - mvn clean install and then mvn dependency-check:check : it's ok, report in each project - mvn clean install and then mvn dependency-check:aggregate : it's nok (just dependency-check.ser in target directory)the result : aggregate.jpg regards Ronan My issue is that I have been unable to reproduce this issue. If you can provide me an example project (feel free to email me at jeremy.long@owasp.org) and the exact command you executed I can try to solve this... But so far every test case others have sent works-on-my-system(TM) - which is unfortunate.— |
Good news - I was just able to reproduce this with 1.2.11. Additionally, this appears to be fixed in 1.2.12-SNAPSHOT (where we have changed the default lifecycle of the aggregate goal from site to compile thanks to ronbreizh)! If anyone experiencing this problem could compile/install 1.2.12-SNAPSHOT and confirm that the issue has been resolved I would really appreciate it. --Jeremy |
Could you put it on central repository or not? |
Would you be able to pull the jar files from the target directories in the --Jeremy On Wed, Jun 24, 2015 at 8:58 AM, ronbreizh notifications@github.com wrote:
|
Hello, [INFO] Scanning for projects... |
dependency-check-maven 1.2.12-SNAPSHOT has not been pushed to central. In order to validate that the issue has been fixed we either wait until the full release - or someone that is experiencing this issue can download the JAR files (core, utils, maven) from the cloudbees workspace (https://dependency-check.ci.cloudbees.com/job/dependency-check/ws/). If you can download the jar files from cloudbees you can then install the snapshot version into your local repo by executing: mvn install:install-file -Dfile=<path-to-file> On each of the three jar files. |
3 jars ? Thank you Moreover the dependency-check-maven-1.2.12-SNAPSHOT.jar seems to be install in my local repository. [INFO] Scanning for projects... |
|
Hi, I am also facing same issue
console output: And dependency-check.log contains |
We are about to release a new version that we believe will fix this issue. However, I am unable to replicate the problem on my end. If possible, could you try the 1.2.12-SNAPSHOT (links to JARs and instruction are in the reply above. --Jeremy |
Try to not have the target dir there (e.g. Run mvn clean 1st). That was the
|
Can anyone that was having this issue please test using 1.3.0? I believe this has been fixed. |
Tested with 1.3.0, does not generate aggregate file. |
Thanks for verifying this. This bug is very frustrating as I cannot replicate the problem on my side. I've had several people send me example projects and it works on my system... --Jeremy |
With the last two commits I believe this issue is resolved. However, issue #325 is still present. While |
This issue is being closed as it is believed to have been resolved. If anyone in the future runs into this issue - please open a new issue. |
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Right now, only dependency-check.ser is created. I would really like to attach an aggregate report to our build request tickets.
The text was updated successfully, but these errors were encountered: