Comments (7)
Can you clarity?
Are you referring to the use of Dependency-Check as part of the Dependency-Track build (via the dependency-check Maven profile)? Or are you referring to the embedded use of Dependency-Check core by Dependency-Track?
Maybe explain a bit what you envision and the benefit.
from dependency-track.
Hi Steve,
I debugged dependency-track dev03 and stable branches. While executing background thread for java dependencies, NexusAnalayzer of the dependency-check is not working as expected. Dependency track does not know the SHA1's and appends NULL string to dependency name and artifactId's. It passes these parameters to dependency-check. NexusAnalayzer does not find the searched artifact from Nexus Repo. So dependency check does not gather the cves. By this way dependency-track does not show cves on the dashboard.
Kind Regards
Pamir
from dependency-track.
Hello Steve,
I am trying the stable build on my system and whenever I add a new component, CPE analyzer fails to recognize it and says an unexpected error occurred during analysis of 'NUL'
Here is the stack trace:
28-Aug-2017 15:45:39.528 INFO [SimpleAsyncTaskExecutor-6] org.owasp.dependencycheck.analyzer.CentralAnalyzer.checkEnabled Central analyzer disabled
28-Aug-2017 15:45:39.531 INFO [SimpleAsyncTaskExecutor-6] org.owasp.dependencycheck.Engine.doUpdates Checking for updates
28-Aug-2017 15:45:41.469 INFO [SimpleAsyncTaskExecutor-6] org.owasp.dependencycheck.Engine.doUpdates Check for updates complete
28-Aug-2017 15:45:41.983 INFO [SimpleAsyncTaskExecutor-6] org.owasp.dependencycheck.Engine.analyzeDependencies Analysis Starting
28-Aug-2017 15:45:43.113 SEVERE [SimpleAsyncTaskExecutor-6] org.owasp.dependencycheck.Engine.initializeAnalyzer Exception occurred initializing CPE Analyzer.
28-Aug-2017 15:45:43.131 WARNING [SimpleAsyncTaskExecutor-6] org.owasp.dependencycheck.Engine.analyzeDependencies An unexpected error occurred during analysis of 'NUL'
28-Aug-2017 15:45:43.670 INFO [SimpleAsyncTaskExecutor-6] org.owasp.dependencycheck.Engine.analyzeDependencies Analysis Complete
from dependency-track.
This part of of the code is likely still incomplete, as I've been focusing on architecture, REST APIs, and bulk importing. I plan on working on the scanning engine integration in the next week or two so these issues should be resolved shortly.
from dependency-track.
FYI, I'm currently working off an unpublished version of Dependency-Check 3.0.0 so I cannot push changes just yet, but the integration is nearly complete.
@Pamir There's no need to set a Maven path since the hashes are already being captured and stored in the database, and (with DT 3.0) the Nexus analyzer can be configured by optionally loading the dependency-check.properties file. By default, the Maven Central analyzer will be enabled and Nexus disabled, but Nexus can be enabled and configured to point to a local Nexus Pro instance.
This commit jeremylong/DependencyCheck@c472608 made this possible.
from dependency-track.
@Pamir An optional dependency-check.properties file can be included in the ~/.dependency-track/dependency-check directory. If this file exists, the properties included in it will be merged into the the properties Dependency-Track uses when executing Dependency-Check. For this specific ticket, I'd recommend the file containing only the following:
analyzer.nexus.enabled=true
analyzer.nexus.url=https://nexus.example.com/service/local/
analyzer.nexus.proxy=false
Do not copy the entire dependencycheck.properties file from dependency-check. Doing so will result in ODT/ODC not working correctly.
from dependency-track.
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
from dependency-track.
Related Issues (20)
- API returns 500 Internal Server Error instead of 405
- Vulnerability Table Error HOT 2
- About the Restful API error: lookup and search HOT 1
- Unique constraint violation while mirroring NVD via feed files
- Flutter packages (pub) get vulnerability from npm HOT 1
- Cannot delete OpenID Connect users HOT 2
- False positive reported for webpack HOT 1
- NuGet component with space breaks analyzer HOT 1
- Global vulnerability audit view broken for MSSQL HOT 14
- BOM Validation: Unable to determine schema version from JSON HOT 1
- 401 HTTP Request Error HOT 1
- Allow Policies to have rules based on EPSS values HOT 1
- Upgrade REST API Spec from Swagger 2.0.0 to OAS 3.1.x HOT 2
- add more information to the Component details HOT 1
- StackOverflowError when uploading sbom twice HOT 2
- add golang module analysis in SnykAnalysisTask
- Project component view displays abnormal "t.$t is not a function" HOT 1
- Make components page default show all components HOT 2
- Dependency Ttrack makes Trivy-generated SBOM unusable to Trivy server HOT 12
- Aliases do not appear to be reported in notifications
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dependency-track.