Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependency-check not scanning all the jars in the given directory #6985

Open
champaanand opened this issue Sep 24, 2024 · 7 comments
Open

Dependency-check not scanning all the jars in the given directory #6985

champaanand opened this issue Sep 24, 2024 · 7 comments
Labels
question

Comments

@champaanand
Copy link

champaanand commented Sep 24, 2024
edited
Loading

Hello , We have a requirement to scan the jar files which are kept under one directory. (dependency-check version 10.0.4)
Command used - ./bin/dependency-check.sh --out . --format CSV --nvdApiKey xxxxxxx --scan /root/dependency-check/jars_3.1.3

While this command shows the report/vuln for 4 jars only while I have around 26 jars in the directory jars_3.1.3.

If I run the command separately for each jar it does report the vulnerability for all the 26 jars
(./bin/dependency-check.sh --out . --format CSV --nvdApiKey xxxxxxx --scan /root/dependency-check/jars_3.1.3/abs.jar
./bin/dependency-check.sh --out . --format CSV --nvdApiKey xxxxxxx --scan /root/dependency-check/jars_3.1.3/def.jar)
Please let me know if there is anything missing.
@champaanand
Copy link
Author

Tried the below option as well: (all the jars are present under ./jars_3.1.3/ directory
./bin/dependency-check.sh --out . --format CSV --nvdApiKey xxxxxx --scan ./jars_3.1.3/*.jar

@jeremylong
Copy link
Owner

jeremylong commented Sep 24, 2024 via email

@champaanand
Copy link
Author

champaanand commented Sep 25, 2024
edited
Loading

All the 26 jars are independent. (This is not jenkins integrated, we are running on the command line)
Any parameter do we need to set?

@jeremylong
Copy link
Owner

did you see in the report the related JARs section(s)?

@champaanand
Copy link
Author

champaanand commented Sep 25, 2024
edited
Loading

@jeremylong I don't see any column with the name related in the report.

"Project","ScanDate","DependencyName","DependencyPath","Description","License","Md5","Sha1","Identifiers","CPE","CVE","CWE","Vulnerability","Source","CVSSv2_Severity","CVSSv2_Score","CVSSv2","CVSSv3_BaseSeverity","CVSSv3_BaseScore","CVSSv3","CPE Confidence","Evidence Count","VendorProject","Product","Name","DateAdded","ShortDescription","RequiredAction","DueDate","Notes"

Searched for the missing jar names in the report, they are not found.

@jeremylong
Copy link
Owner

The CSV report is garbage for actual analysis of the CVEs and how things are reported. Look at the HTML report.

@champaanand
Copy link
Author

HTML report shows the related jars. CSV format is not recommended is it?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jeremylong @champaanand