New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependency-check failing for aggregate project due to in-reactor war-dependency with a vulnerable library in a previous snapshot hosted in the repository #2806
Comments
The way I managed to reproduce the issue we encountered indicates that it may be hard to create an IT to prevent it in the future. The scenario that I run to reproduce the issue that we encountered in our project:
So only in the case 'SNAPSHOT in localrepo that originates from a maven repository' it appears that the SNAPSHOTS for reactor use virtual dependency are no longer kicking in. @jeremylong is there some way to use an isolated maven snapshot repository and introduce the relevant parts of the reproduction scenario into an integration test:
|
Note: a quick verification shows that behavior above on 5.3.2 (the version for which we observed the issue) is still present in 6.0.2. I'll investigate for it's root cause and work on fixing it while awaiting a response regarding the regression-testability of its root-cause to prevent re-introduction of the issue in the future. |
Root cause appears to be the second PR (#1773) for #1751 which doesn't take into account the possibility that dependencies that are reactor projects have already been resolved and should (as a snapshot-reactor-dependency be transformed into a virtual reactor dependency for aggregate builds.
|
Turns out to be not that change, as both a 'working' (fresh build) and a 'not working' (localrepo contains repository-resolved build) scenario contain the Skipping artifact war, already resolved in debug-log |
The issue appears to be caused by the checking for reactor projects as seen from the lines following the 'already resolved': |
Most likely this scenario never worked and just took a while to surface. As it took our developers a while to get around to maintenance on the project after the build failed the local snapshot got evicted from the local repository of our build-server. Dependency-check is configured to be build-breaking, so new periodically scheduled builds did not (re)create the snapshot locally (nor in the repository manager) and to avoid depending on stale snapshots the local repository get periodically purged from snapshots by file-date so that builds fail when a project still depends on an already released snapshot) |
@aikebah thanks for the PR! |
Describe the bug
Looks like #1600 has resurfaced. Will look into it further myself and propose a patch if needed
Version of dependency-check used
The problem occurs using version 5.3.2 of the maven plugin
Log file
Properietary project, so cannot share the log. Will look into getting a minimal project to sample it and then attach logs.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Dependency-check only depending on the reactor-internal virtual dependencies (as this is an aggregate scan for a SNAPSHOT project) and ignoring the (still vulnerable) war-file currently stored in the artifact repository for the same snapshot-version.
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: