-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependency-check not scanning all the jars in the given directory #6985
Comments
Tried the below option as well: (all the jars are present under ./jars_3.1.3/ directory |
By default ODC will combine related JAR files. See if there are related
dependencies listed.
…On Tue, Sep 24, 2024, 10:22 AM champaanand ***@***.***> wrote:
Tried the below option as well: (all the jars are present under
./jars_3.1.3/ directory
./bin/dependency-check.sh --out . --format CSV --nvdApiKey xxxxxx --scan
./jars_3.1.3/*.jar
—
Reply to this email directly, view it on GitHub
<#6985 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAGSVQSLMOI5INASYK4AEVLZYFYRXAVCNFSM6AAAAABOYNITVWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNZRGQ2DOMRQGE>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
All the 26 jars are independent. (This is not jenkins integrated, we are running on the command line) |
did you see in the report the related JARs section(s)? |
@jeremylong I don't see any column with the name related in the report. "Project","ScanDate","DependencyName","DependencyPath","Description","License","Md5","Sha1","Identifiers","CPE","CVE","CWE","Vulnerability","Source","CVSSv2_Severity","CVSSv2_Score","CVSSv2","CVSSv3_BaseSeverity","CVSSv3_BaseScore","CVSSv3","CPE Confidence","Evidence Count","VendorProject","Product","Name","DateAdded","ShortDescription","RequiredAction","DueDate","Notes" Searched for the missing jar names in the report, they are not found. |
The CSV report is garbage for actual analysis of the CVEs and how things are reported. Look at the HTML report. |
HTML report shows the related jars. CSV format is not recommended is it? |
Hello , We have a requirement to scan the jar files which are kept under one directory. (dependency-check version 10.0.4)
Command used - ./bin/dependency-check.sh --out . --format CSV --nvdApiKey xxxxxxx --scan /root/dependency-check/jars_3.1.3
While this command shows the report/vuln for 4 jars only while I have around 26 jars in the directory jars_3.1.3.
If I run the command separately for each jar it does report the vulnerability for all the 26 jars
(./bin/dependency-check.sh --out . --format CSV --nvdApiKey xxxxxxx --scan /root/dependency-check/jars_3.1.3/abs.jar
./bin/dependency-check.sh --out . --format CSV --nvdApiKey xxxxxxx --scan /root/dependency-check/jars_3.1.3/def.jar)
Please let me know if there is anything missing.
The text was updated successfully, but these errors were encountered: