Several breaking changes were made from 2.x to the 3.0.0 release. The primary change is that the settings is no longer a singleton and a few constructor and methods were changed. The PR to upgrade the gradle plugin from 2.x to 3.0.0 may provide a good roadmap.

The good news is that dependency-check-core is now threadsafe and you can have multiple instances running in parallel.

I'm looking to overwrite the default dependency-check configuration in dependencycheck.properties in the underlying owasp dependency check jar so that it only executes the analyzers I want. There are certain dependencies in my project which are scanned by other CVE scanners and I don't want them scanned again. However placing a dependencycheck.properties file on the classpath doesn't disable the analyzers. Instead, should I modify src/lein_dependency_check/core.clj scan-files function to disable the dependency checks by reading from a file?

Any advice would be appreciated.

If not, could it be an option? I would like to fail my build if vulnerabilities are found.

Hi again,

I'm interested in using this as a library, as opposed to a Lein plugin.

Luckily, the code appears ready to use. But it fails in the following way:

You can see my attempt in the upper half, and its evaluation in the lower one.

Does it sound familiar?

Thanks - Victor

I'm using [com.livingsocial/lein-dependency-check "1.1.3"] which uses [org.owasp/dependency-check-core "5.2.1"].

When :throw is set to true when vulnerabilities are found, the plugin fails with:

Caused by: java.lang.IllegalArgumentException: No matching field found: getCvssScore for class org.owasp.dependencycheck.dependency.Vulnerability
	at clojure.lang.Reflector.getInstanceField(Reflector.java:271)
	at clojure.lang.Reflector.invokeNoArgInstanceMember(Reflector.java:315)
	at lein_dependency_check.core$handle_vulnerabilities$fn__53.invoke(core.clj:73)

as 5.2.1 version of owasp dependency check now has two distinct CVSS scores: v2 and v3 instead of a single CVSS property.

I have a pretty basic setup, just switched to 1.4 so that I can get past the xml->json migration, but now I'm getting an error about .net and I can't figure out how to suppress it:

2020-07-15 12:03:21,023 [main] ERROR org.owasp.dependencycheck.analyzer.AssemblyAnalyzer - ----------------------------------------------------
2020-07-15 12:03:21,025 [main] ERROR org.owasp.dependencycheck.analyzer.AssemblyAnalyzer - .NET Assembly Analyzer could not be initialized and at least one 'exe' or 'dll' was scanned. The 'dotnet' executable could not be found on the path; either disable the Assembly Analyzer or configure the path dotnet core.
2020-07-15 12:03:21,025 [main] ERROR org.owasp.dependencycheck.analyzer.AssemblyAnalyzer - ----------------------------------------------------

Whoops, my apologies - bug in my last PR!

https://travis-ci.org/brabster/crucible/builds/280344591

"Generating report..."
"Done."
Exception in thread "main" clojure.lang.ExceptionInfo: Vulnerable Dependencies! {:vulnerable ()}, compiling:(/tmp/form-init4712519819586855050.clj:1:73)

Fix on the way...

I'd like to be able to see any vulnerabilities found directly in the build log.

Hello,
I'm using Gitlab CI and i want to add a dependecy-check stage in my pipeline but i got this error all the time, can any one help me with this error ?

This the error:

[INFO] Analysis Started [INFO] Finished Archive Analyzer (3 seconds) [INFO] Finished File Name Analyzer (0 seconds) [INFO] Finished Jar Analyzer (0 seconds) [INFO] Finished Central Analyzer (1 seconds) [INFO] Finished Dependency Merging Analyzer (0 seconds) [INFO] Finished Version Filter Analyzer (0 seconds) [INFO] Finished Hint Analyzer (0 seconds) [INFO] Created CPE Index (7 seconds) [WARN] Unable to parse suppression xml file 'dependency_check_suppressions.xml' [WARN] org.owasp.dependencycheck.xml.suppression.SuppressionParseException: org.xml.sax.SAXException: Line=6, Column=99: cvc-elt.1.a: Cannot find the declaration of element 'xs:schema'. [ERROR] Exception occurred initializing CPE Analyzer. [INFO] Finished CPE Analyzer (8 seconds) [INFO] Finished False Positive Analyzer (0 seconds) [INFO] Finished NVD CVE Analyzer (0 seconds) [INFO] Finished RetireJS Analyzer (2 seconds) [INFO] Finished Sonatype OSS Index Analyzer (0 seconds) [WARN] Unable to parse suppression xml file 'dependency_check_suppressions.xml' [WARN] org.owasp.dependencycheck.xml.suppression.SuppressionParseException: org.xml.sax.SAXException: Line=6, Column=99: cvc-elt.1.a: Cannot find the declaration of element 'xs:schema'. [ERROR] Exception occurred initializing Vulnerability Suppression Analyzer. [INFO] Finished Vulnerability Suppression Analyzer (0 seconds) [INFO] Finished Dependency Bundling Analyzer (0 seconds) [INFO] Analysis Complete (15 seconds) [ERROR] Warn initializing the suppression analyzer: Failed to load dependency_check_suppressions.xml, caused by org.owasp.dependencycheck.xml.suppression.SuppressionParseException: org.xml.sax.SAXException: Line=6, Column=99: cvc-elt.1.a: Cannot find the declaration of element 'xs:schema'.. [ERROR] Warn initializing the suppression analyzer: Failed to load dependency_check_suppressions.xml, caused by org.owasp.dependencycheck.xml.suppression.SuppressionParseException: org.xml.sax.SAXException: Line=6, Column=99: cvc-elt.1.a: Cannot find the declaration of element 'xs:schema'.. Uploading artifacts... dependency-check-out/dependency-check-report.*: found 4 matching files Uploading artifacts to coordinator... ok id=2009442 responseStatus=201 Created token=TunH7rgy ERROR: Job failed: exit code 242

And this is my script:

`dependency-check:
stage: pre-analysis
allow_failure: true
image:
name: owasp/dependency-check
entrypoint: [""]
before_script:
- mkdir /usr/share/dependency-check/datas || true
- mkdir -p dependency-check/datas
- mkdir -p dependency-check-out
- PROXY_HOST=$(echo ${http_proxy} | sed -e "s/[^/]//([^@]@)?([^:/])./\2/")
- PROXY_PORT=$(echo ${http_proxy} | sed -e 's,^.:,:,g' -e 's,.:([0-9]).,\1,g' -e 's,[^0-9],,g')
script:
- /usr/share/dependency-check/bin/dependency-check.sh
--scan .
--format 'ALL'
--project "$CI_PROJECT_NAME"
--failOnCVSS 7
--disableNodeJS
--disableNodeAudit
--suppression=dependency_check_suppressions.xml
--data=dependency-check/datas
--out=dependency-check-out
--proxyserver=${PROXY_HOST}
--proxyport=${PROXY_PORT}
artifacts:
name: "${CI_JOB_ID}_${CI_JOB_NAME}"
when: always
expire_in: 1 week
paths:
- dependency-check-out/dependency-check-report.*
cache:
key: dependency-check-data
paths:
- dependency-check/datas

only:
refs:
- master
except:
variables:
- $DISABLE_DEP_CHECK`

i'm using the dependency_check_suppressions.xml
Link: https://github.com/jeremylong/DependencyCheck/blob/master/core/src/main/resources/schema/dependency-suppression.1.1.xsd

Many thanks !

Hi,

Thanks for maintaining this plugin.

Our organization has a policy to address any high or critical issues according to the CVSS scale. This means that sometimes we choose not to immediately address low / medium issues. I'd like our build to fail if there are any issues above a particular CVSS score but otherwise just log and create the report.

Basically, I want the "failBuildOnCVSS" option documented here:
https://jeremylong.github.io/DependencyCheck/dependency-check-maven/configuration.html#bodyColumn

Would you be interested in adding this feature? I may be able to create a PR.

README suggests 1.0.4, while there's a later release.

Is there a way to change the name of the dependency check report file to anything I like?

We just released 5.0.0 of the core library. There were several breaking changes in this release. See the release notes for 5.0.0-M1, M2, M3, and the final 5.0.0 release: https://github.com/jeremylong/DependencyCheck/blob/master/RELEASE_NOTES.md

You can see what the scala plugin did to move from 4.x to 5.0.0 here: albuch/sbt-dependency-check#72

There may be cases where DependencyCheck includes false positives. Support for suppression lists (e.g.,
https://jeremylong.github.io/DependencyCheck/general/suppression.html) would help these filter out.

Version of OWASP dep-check plugin quite out of date. New version has (at least) much improved logging that would have helped debug a TLS issue that I had running on Travis.

(btw, if you use Travis for CI then they have a cron build feature that you could use to run https://github.com/xsc/lein-ancient to detect when new versions of deps become available)