-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sarif contains duplicate artifacts #3243
Comments
I can see various item of {
"description": {
"text": "BGT GML light module voor de BRMO loader"
},
"location": {
"uri": "file:////home/mark/dev/projects/brmo/bgt-gml-loader/pom.xml"
},
"properties": {
"license": "GNU GENERAL PUBLIC LICENSE 3.0 https://raw.githubusercontent.com/B3Partners/brmo/master/LICENSE",
"id1": "pkg:maven/nl.b3p/bgt-gml-loader@2.0.4-SNAPSHOT"
}
}, as well as
and some of the other projects modules are also repeated in the sarif file |
Hopefully d2b5cf9 resolves the issue. |
Thanks! I can see succesful upload when using 6.1.6-SNAPSHOT in https://github.com/B3Partners/brmo/actions/runs/708607190
|
@jeremylong @mprins I am still getting My action file: https://github.com/xmlking/micro-apps/blob/develop/.github/workflows/owasp-dep-check.yml |
see #3993 - we have a few more things to resolve before releasing 7.0.0, but it shouldn't be too much longer. |
Describe the bug
The sarif file produced on an aggregate maven project holds duplicate entries in the artifacts which - at least github says so - is invalid (the projects in the multimodule have shared dependencies).
This prevents uploading into the github "security" tab.
I'm not sure what is used for identifying artifacts in the sarif file, I would gues either
uri
orid1
- so not sure what qualifies a "duplicate".I'm still looking at the log for the actual duplicate...
Version of dependency-check used
The problem occurs using version 6.1.4 of the maven plugin
Log file
I have a Github Action workflow that shows this at: https://github.com/B3Partners/brmo/pull/1039/checks?check_run_id=2229073601#step:6:14 relevant part is shown below, full log at: https://gist.github.com/mprins/b9d39bbd9156d9da3954da9de557c213
To Reproduce
Steps to reproduce the behavior: run the workflow in https://github.com/B3Partners/brmo/blob/2198870b00ea3a88b5a2997ee1376bcd4eb1e243/.github/workflows/owasp-dependency-check.yml
Expected behavior
Duplicate entries should be filtered out so upload into github "security" tab succeeds
The text was updated successfully, but these errors were encountered: