dependency-check about dependency-track HOT 7 CLOSED

Can you clarity?

Are you referring to the use of Dependency-Check as part of the Dependency-Track build (via the dependency-check Maven profile)? Or are you referring to the embedded use of Dependency-Check core by Dependency-Track?

Maybe explain a bit what you envision and the benefit.

from dependency-track.

Hi Steve,

I debugged dependency-track dev03 and stable branches. While executing background thread for java dependencies, NexusAnalayzer of the dependency-check is not working as expected. Dependency track does not know the SHA1's and appends NULL string to dependency name and artifactId's. It passes these parameters to dependency-check. NexusAnalayzer does not find the searched artifact from Nexus Repo. So dependency check does not gather the cves. By this way dependency-track does not show cves on the dashboard.

Kind Regards
Pamir

from dependency-track.

Hello Steve,
I am trying the stable build on my system and whenever I add a new component, CPE analyzer fails to recognize it and says an unexpected error occurred during analysis of 'NUL'

Here is the stack trace:
28-Aug-2017 15:45:39.528 INFO [SimpleAsyncTaskExecutor-6] org.owasp.dependencycheck.analyzer.CentralAnalyzer.checkEnabled Central analyzer disabled
28-Aug-2017 15:45:39.531 INFO [SimpleAsyncTaskExecutor-6] org.owasp.dependencycheck.Engine.doUpdates Checking for updates
28-Aug-2017 15:45:41.469 INFO [SimpleAsyncTaskExecutor-6] org.owasp.dependencycheck.Engine.doUpdates Check for updates complete
28-Aug-2017 15:45:41.983 INFO [SimpleAsyncTaskExecutor-6] org.owasp.dependencycheck.Engine.analyzeDependencies Analysis Starting
28-Aug-2017 15:45:43.113 SEVERE [SimpleAsyncTaskExecutor-6] org.owasp.dependencycheck.Engine.initializeAnalyzer Exception occurred initializing CPE Analyzer.
28-Aug-2017 15:45:43.131 WARNING [SimpleAsyncTaskExecutor-6] org.owasp.dependencycheck.Engine.analyzeDependencies An unexpected error occurred during analysis of 'NUL'
28-Aug-2017 15:45:43.670 INFO [SimpleAsyncTaskExecutor-6] org.owasp.dependencycheck.Engine.analyzeDependencies Analysis Complete

from dependency-track.

This part of of the code is likely still incomplete, as I've been focusing on architecture, REST APIs, and bulk importing. I plan on working on the scanning engine integration in the next week or two so these issues should be resolved shortly.

from dependency-track.

FYI, I'm currently working off an unpublished version of Dependency-Check 3.0.0 so I cannot push changes just yet, but the integration is nearly complete.

@Pamir There's no need to set a Maven path since the hashes are already being captured and stored in the database, and (with DT 3.0) the Nexus analyzer can be configured by optionally loading the dependency-check.properties file. By default, the Maven Central analyzer will be enabled and Nexus disabled, but Nexus can be enabled and configured to point to a local Nexus Pro instance.

This commit jeremylong/DependencyCheck@c472608 made this possible.

from dependency-track.

@Pamir An optional dependency-check.properties file can be included in the ~/.dependency-track/dependency-check directory. If this file exists, the properties included in it will be merged into the the properties Dependency-Track uses when executing Dependency-Check. For this specific ticket, I'd recommend the file containing only the following:

analyzer.nexus.enabled=true
analyzer.nexus.url=https://nexus.example.com/service/local/
analyzer.nexus.proxy=false

Do not copy the entire dependencycheck.properties file from dependency-check. Doing so will result in ODT/ODC not working correctly.

from dependency-track.

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

from dependency-track.