You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
When running an aggregate scan on a multimodule project, where multiple submodules depend on the same in-reactor module multiple virtual dependencies are registered in the report.
Strange enough the number of virtual dependencies is one less than the number of dependencies for which a virtual dependency gets created.
[WARNING] The following dependencies could not be resolved at this point of the build but seem to be part of the reactor:
[WARNING] o org.owasp.test.aggregate.issue-3944:lib:jar:1.0.0-SNAPSHOT (compile)
[WARNING] Try running the build up to the lifecycle phase "package"
[WARNING] The following dependencies could not be resolved at this point of the build but seem to be part of the reactor:
[WARNING] o org.owasp.test.aggregate.issue-3944:lib:jar:1.0.0-SNAPSHOT (compile)
[WARNING] Try running the build up to the lifecycle phase "package"
[WARNING] The following dependencies could not be resolved at this point of the build but seem to be part of the reactor:
[WARNING] o org.owasp.test.aggregate.issue-3944:lib:jar:1.0.0-SNAPSHOT (compile)
[WARNING] Try running the build up to the lifecycle phase "package"
[WARNING] The following dependencies could not be resolved at this point of the build but seem to be part of the reactor:
[WARNING] o org.owasp.test.aggregate.issue-3944:lib:jar:1.0.0-SNAPSHOT (compile)
[WARNING] Try running the build up to the lifecycle phase "package"
[INFO]
[INFO] --- dependency-check-maven:6.5.2:aggregate (default) @ parent ---
[INFO] Unable to resolve org.owasp.test.aggregate.issue-3944:lib:1.0.0-SNAPSHOT as it has not been built yet - creating a virtual dependency instead.
[INFO] Unable to resolve org.owasp.test.aggregate.issue-3944:lib:1.0.0-SNAPSHOT as it has not been built yet - creating a virtual dependency instead.
[INFO] Unable to resolve org.owasp.test.aggregate.issue-3944:lib:1.0.0-SNAPSHOT as it has not been built yet - creating a virtual dependency instead.
[INFO] Unable to resolve org.owasp.test.aggregate.issue-3944:lib:1.0.0-SNAPSHOT as it has not been built yet - creating a virtual dependency instead.
Resulted in a report with 3 (non-vulnerable) dependencies
Version of dependency-check used
The problem occurs using version 6.5.1 and 6.5.2 of the maven plugin (and likely older as well)
To Reproduce
Will be provided in a new it-test
Expected behavior
A single or no, not quite sure what the expected behavior for the in-reactor dependencies is, virtual dependency listed in the aggregate report.
The text was updated successfully, but these errors were encountered:
The 'one less than the number of dependencies' is due to the fact that the BundlingAnalyzer in the end bundles the first two virtual dependencies to one. The remaining duplicates get merged too, but stay in place, as the BundlingAnalyzer uses a HashSet to track the merged/bundled dependencies to remove and all virtual dependencies have the same hashcode so only a single duplicate is scheduled for removal, leaving n-1 duplicate virtual dependencies in place when n virtual dependencies have been created for cases of n>1.
Fixes#3944
While merging dependencies do not add a dependency identical to this to the related dependencies
Make the virtual dependencies stemming from the maven plugin register the project in which context it was found
Describe the bug
When running an aggregate scan on a multimodule project, where multiple submodules depend on the same in-reactor module multiple virtual dependencies are registered in the report.
Strange enough the number of virtual dependencies is one less than the number of dependencies for which a virtual dependency gets created.
Resulted in a report with 3 (non-vulnerable) dependencies
Version of dependency-check used
The problem occurs using version 6.5.1 and 6.5.2 of the maven plugin (and likely older as well)
To Reproduce
Will be provided in a new it-test
Expected behavior
A single or no, not quite sure what the expected behavior for the in-reactor dependencies is, virtual dependency listed in the aggregate report.
The text was updated successfully, but these errors were encountered: