search

dependency-check / dependency-check-gradle

The dependency-check gradle plugin is a Software Composition Analysis (SCA) tool that allows projects to monitor dependent libraries for known, published vulnerabilities.
http://jeremylong.github.io/DependencyCheck/
Apache License 2.0
361 stars 93 forks source link

7.0.0: Could not find method sha256Checksum() for project dependencies #247

Closed chadlwilson closed 2 years ago

chadlwilson commented 2 years ago

When running org.owasp:dependency-check-gradle:7.0.0 on a multi-project Gradle build with inter-project dependencies dependencyCheckAggregate fails as soon as it hits the first project(':blah') dependency.

Looks related to https://github.com/dependency-check/dependency-check-gradle/blob/820351873676644b78039ab57e5325c3b5ed8d2c/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/AbstractAnalyze.groovy#L517

Shouldn't it be getSHA256Checksum not sha256Checksum per https://github.com/jeremylong/DependencyCheck/blob/2d4163918f2392628f29ce309739f90efd78fc99/utils/src/main/java/org/owasp/dependencycheck/utils/Checksum.java#L208-L210 ?

In the below example the project and dependency it is failing on is:

agent/build.gradle

dependencies {
  // snip
  implementation project(':agent-common')
  // snip

Log:

> Task :dependencyCheckAggregate FAILED
Caching disabled for task ':dependencyCheckAggregate' because:
  Caching has not been enabled for the task
Task ':dependencyCheckAggregate' is not up-to-date because:
  Task has not declared any outputs despite executing actions.
Verifying dependencies for project gocd
'annotationProcessor' is considered a test configuration: false
'compileClasspath' is considered a test configuration: false
'doNotPackage --> compileOnly --> providedAtPackageTime --> annotationProcessor' is considered a test configuration: false
'providedAtPackageTime' is considered a test configuration: false
'testImplementation --> compileClasspath' is considered a test configuration: true
- Analyzing gocd:annotationProcessor
- Analyzing gocd:compileClasspath
- Analyzing gocd:doNotPackage
'annotationProcessor' is considered a test configuration: false
'compileClasspath' is considered a test configuration: false
'doNotPackage --> compileOnly --> providedAtPackageTime --> annotationProcessor' is considered a test configuration: false
'providedAtPackageTime' is considered a test configuration: false
'testImplementation --> compileClasspath' is considered a test configuration: true
- Analyzing addon-api:annotationProcessor
- Analyzing addon-api:compileClasspath
- Analyzing addon-api:doNotPackage
'annotationProcessor' is considered a test configuration: false
'api' is considered a test configuration: false
'apiElements --> api --> compileOnlyApi' is considered a test configuration: false
'compileClasspath --> compileOnly --> providedAtPackageTime --> annotationProcessor --> compileOnlyApi --> implementation --> api' is considered a test configuration: false
'compileOnlyApi' is considered a test configuration: false
'doNotPackage --> compileOnly --> providedAtPackageTime --> annotationProcessor --> compileOnlyApi' is considered a test configuration: false
'extractedAtTopLevel' is considered a test configuration: false
'fatJarConfig' is considered a test configuration: false
'functionalTestAnnotationProcessor' is considered a test configuration: false
'functionalTestCompileClasspath --> functionalTestCompileOnly --> functionalTestImplementation --> testCompileClasspath --> testCompileOnly --> testImplementation --> compileClasspath --> compileOnly --> providedAtPackageTime --> annotationProcessor --> compileOnlyApi --> implementation --> api' is considered a test configuration: true
'functionalTestCompileOnly' is considered a test configuration: false
'functionalTestImplementation' is considered a test configuration: false
'functionalTestRuntimeClasspath --> functionalTestRuntimeOnly --> functionalTestImplementation --> testRuntimeClasspath --> testRuntimeOnly --> runtimeOnly --> testImplementation --> compileClasspath --> compileOnly --> providedAtPackageTime --> annotationProcessor --> compileOnlyApi --> implementation --> api' is considered a test configuration: true
'functionalTestRuntimeOnly' is considered a test configuration: false
'implementation --> api' is considered a test configuration: false
'mainSourceElements --> implementation --> api' is considered a test configuration: false
'packagingOnly' is considered a test configuration: false
'pmdAux' is considered a test configuration: false
'providedAtPackageTime' is considered a test configuration: false
'runtimeClasspath --> runtimeOnly --> implementation --> api' is considered a test configuration: false
'runtimeElements --> implementation --> api --> runtimeOnly --> packagingOnly' is considered a test configuration: false
'runtimeOnly' is considered a test configuration: false
'testAnnotationProcessor' is considered a test configuration: true
'testCompileClasspath --> testCompileOnly --> testImplementation --> compileClasspath --> compileOnly --> providedAtPackageTime --> annotationProcessor --> compileOnlyApi --> implementation --> api' is considered a test configuration: true
'testCompileOnly --> compileOnlyApi' is considered a test configuration: true
'testImplementation --> compileClasspath --> compileOnly --> providedAtPackageTime --> annotationProcessor --> compileOnlyApi --> implementation --> api' is considered a test configuration: true
'testOutput --> testRuntimeClasspath --> testRuntimeOnly --> runtimeOnly --> testImplementation --> compileClasspath --> compileOnly --> providedAtPackageTime --> annotationProcessor --> compileOnlyApi --> implementation --> api' is considered a test configuration: true
'testResultsElementsForTest --> testImplementation --> compileClasspath --> compileOnly --> providedAtPackageTime --> annotationProcessor --> compileOnlyApi --> implementation --> api --> testRuntimeOnly --> runtimeOnly' is considered a test configuration: true
'testRuntimeClasspath --> testRuntimeOnly --> runtimeOnly --> testImplementation --> compileClasspath --> compileOnly --> providedAtPackageTime --> annotationProcessor --> compileOnlyApi --> implementation --> api' is considered a test configuration: true
'testRuntimeOnly --> runtimeOnly' is considered a test configuration: true
- Analyzing agent:annotationProcessor
- Analyzing agent:compileClasspath
:dependencyCheckAggregate (Thread[Execution worker for ':',5,main]) completed. Took 0.045 secs.
FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':dependencyCheckAggregate'.
> Could not find method sha256Checksum() for arguments [com.thoughtworks.go:agent-common:22.1.0-13830] on task ':dependencyCheckAggregate' of type org.owasp.dependencycheck.gradle.tasks.Aggregate.

* Try:
> Run with --debug option to get more log output.
> Run with --scan to get full insights.

* Exception is:
org.gradle.api.tasks.TaskExecutionException: Execution failed for task ':dependencyCheckAggregate'.
        at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.lambda$executeIfValid$1(ExecuteActionsTaskExecuter.java:147)
        at org.gradle.internal.Try$Failure.ifSuccessfulOrElse(Try.java:282)
        at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.executeIfValid(ExecuteActionsTaskExecuter.java:145)
        at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.execute(ExecuteActionsTaskExecuter.java:133)
        at org.gradle.api.internal.tasks.execution.CleanupStaleOutputsExecuter.execute(CleanupStaleOutputsExecuter.java:77)
        at org.gradle.api.internal.tasks.execution.FinalizePropertiesTaskExecuter.execute(FinalizePropertiesTaskExecuter.java:46)
        at org.gradle.api.internal.tasks.execution.ResolveTaskExecutionModeExecuter.execute(ResolveTaskExecutionModeExecuter.java:51)
        at org.gradle.api.internal.tasks.execution.SkipTaskWithNoActionsExecuter.execute(SkipTaskWithNoActionsExecuter.java:57)
        at org.gradle.api.internal.tasks.execution.SkipOnlyIfTaskExecuter.execute(SkipOnlyIfTaskExecuter.java:56)
        at org.gradle.api.internal.tasks.execution.CatchExceptionTaskExecuter.execute(CatchExceptionTaskExecuter.java:36)
        at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter$1.executeTask(EventFiringTaskExecuter.java:77)
        at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter$1.call(EventFiringTaskExecuter.java:55)
        at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter$1.call(EventFiringTaskExecuter.java:52)
        at org.gradle.internal.operations.DefaultBuildOperationRunner$CallableBuildOperationWorker.execute(DefaultBuildOperationRunner.java:204)
        at org.gradle.internal.operations.DefaultBuildOperationRunner$CallableBuildOperationWorker.execute(DefaultBuildOperationRunner.java:199)
        at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:66)
        at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:59)
        at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:157)
        at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:59)
        at org.gradle.internal.operations.DefaultBuildOperationRunner.call(DefaultBuildOperationRunner.java:53)
        at org.gradle.internal.operations.DefaultBuildOperationExecutor.call(DefaultBuildOperationExecutor.java:73)
        at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter.execute(EventFiringTaskExecuter.java:52)
        at org.gradle.execution.plan.LocalTaskNodeExecutor.execute(LocalTaskNodeExecutor.java:74)
        at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$InvokeNodeExecutorsAction.execute(DefaultTaskExecutionGraph.java:333)
        at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$InvokeNodeExecutorsAction.execute(DefaultTaskExecutionGraph.java:320)
        at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$BuildOperationAwareExecutionAction.execute(DefaultTaskExecutionGraph.java:313)
        at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$BuildOperationAwareExecutionAction.execute(DefaultTaskExecutionGraph.java:299)
        at org.gradle.execution.plan.DefaultPlanExecutor$ExecutorWorker.lambda$run$0(DefaultPlanExecutor.java:143)
        at org.gradle.execution.plan.DefaultPlanExecutor$ExecutorWorker.execute(DefaultPlanExecutor.java:227)
        at org.gradle.execution.plan.DefaultPlanExecutor$ExecutorWorker.executeNextNode(DefaultPlanExecutor.java:218)
        at org.gradle.execution.plan.DefaultPlanExecutor$ExecutorWorker.run(DefaultPlanExecutor.java:140)
        at org.gradle.internal.concurrent.ExecutorPolicy$CatchAndRecordFailures.onExecute(ExecutorPolicy.java:64)
        at org.gradle.internal.concurrent.ManagedExecutorImpl$1.run(ManagedExecutorImpl.java:48)
Caused by: org.gradle.internal.metaobject.AbstractDynamicObject$CustomMessageMissingMethodException: Could not find method sha256Checksum() for arguments [com.thoughtworks.go:agent-common:22.1.0-13830] on task ':dependencyCheckAggregate' of type org.owasp.dependencycheck.gradle.tasks.Aggregate.
        at org.gradle.internal.metaobject.AbstractDynamicObject$CustomMissingMethodExecutionFailed.<init>(AbstractDynamicObject.java:190)
        at org.gradle.internal.metaobject.AbstractDynamicObject.methodMissingException(AbstractDynamicObject.java:184)
        at org.gradle.internal.metaobject.AbstractDynamicObject.invokeMethod(AbstractDynamicObject.java:167)
        at org.owasp.dependencycheck.gradle.tasks.Aggregate_Decorated.invokeMethod(Unknown Source)
        at org.owasp.dependencycheck.gradle.tasks.AbstractAnalyze.addDependency(AbstractAnalyze.groovy:517)
        at org.owasp.dependencycheck.gradle.tasks.AbstractAnalyze.addDependency(AbstractAnalyze.groovy)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at org.owasp.dependencycheck.gradle.tasks.AbstractAnalyze$_processConfigV4_closure14$_closure18.doCall(AbstractAnalyze.groovy:457)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at org.owasp.dependencycheck.gradle.tasks.AbstractAnalyze$_processConfigV4_closure14.doCall(AbstractAnalyze.groovy:437)
        at jdk.internal.reflect.GeneratedMethodAccessor703.invoke(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at org.owasp.dependencycheck.gradle.tasks.AbstractAnalyze.processConfigV4(AbstractAnalyze.groovy:436)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at org.owasp.dependencycheck.gradle.tasks.AbstractAnalyze$_processConfigurations_closure10.doCall(AbstractAnalyze.groovy:374)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at org.owasp.dependencycheck.gradle.tasks.AbstractAnalyze.processConfigurations(AbstractAnalyze.groovy:367)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at org.owasp.dependencycheck.gradle.tasks.Aggregate$_scanProject_closure1.doCall(Aggregate.groovy:49)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at org.owasp.dependencycheck.gradle.tasks.Aggregate.scanProject(Aggregate.groovy:47)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at org.owasp.dependencycheck.gradle.tasks.Aggregate.scanDependencies(Aggregate.groovy:40)
        at org.owasp.dependencycheck.gradle.tasks.Aggregate$scanDependencies.callCurrent(Unknown Source)
        at org.owasp.dependencycheck.gradle.tasks.AbstractAnalyze.analyze(AbstractAnalyze.groovy:86)
        // SNIPPED
chadlwilson commented 2 years ago

It actually also seems to fail on a single-project setup too with the same error. Not sure how to get this version of the plugin to function at all right now.

Caused by: org.gradle.internal.metaobject.AbstractDynamicObject$CustomMessageMissingMethodException: Could not find method sha256Checksum() for arguments [my-project:my-project:0.1.0] on task ':dependencyCheckAnalyze' of type org.owasp.dependencycheck.gradle.tasks.Analyze.
        at org.gradle.internal.metaobject.AbstractDynamicObject$CustomMissingMethodExecutionFailed.<init>(AbstractDynamicObject.java:190)
        at org.gradle.internal.metaobject.AbstractDynamicObject.methodMissingException(AbstractDynamicObject.java:184)
        at org.gradle.internal.metaobject.AbstractDynamicObject.invokeMethod(AbstractDynamicObject.java:167)
        at org.owasp.dependencycheck.gradle.tasks.Analyze_Decorated.invokeMethod(Unknown Source)
        at org.owasp.dependencycheck.gradle.tasks.AbstractAnalyze.addDependency(AbstractAnalyze.groovy:517)
        at org.owasp.dependencycheck.gradle.tasks.AbstractAnalyze.addDependency(AbstractAnalyze.groovy)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at org.owasp.dependencycheck.gradle.tasks.AbstractAnalyze$_processConfigV4_closure14$_closure18.doCall(AbstractAnalyze.groovy:457)
        at jdk.internal.reflect.GeneratedMethodAccessor336.invoke(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at org.owasp.dependencycheck.gradle.tasks.AbstractAnalyze$_processConfigV4_closure14.doCall(AbstractAnalyze.groovy:437)
        at jdk.internal.reflect.GeneratedMethodAccessor343.invoke(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at org.owasp.dependencycheck.gradle.tasks.AbstractAnalyze.processConfigV4(AbstractAnalyze.groovy:436)
        at jdk.internal.reflect.GeneratedMethodAccessor354.invoke(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at org.owasp.dependencycheck.gradle.tasks.AbstractAnalyze$_processConfigurations_closure10.doCall(AbstractAnalyze.groovy:374)
        at jdk.internal.reflect.GeneratedMethodAccessor353.invoke(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at org.owasp.dependencycheck.gradle.tasks.AbstractAnalyze.processConfigurations(AbstractAnalyze.groovy:367)
jeremylong commented 2 years ago

https://github.com/gocd/gocd/pull/10232 worked locally running ./gradlew dependencyCheckAnalyze.

jeremylong commented 2 years ago

In your environment it seems like it is not pulling in dependency-check-utils. If this is still an issue after the above PR - can you run ./gradlew buildEnvironment and post the results?

chadlwilson commented 2 years ago

gocd/gocd#10232 worked locally running ./gradlew dependencyCheckAnalyze.

It's a multi-project build, so I think you'll have to run dependencyCheckAggregate to replicate. I'm actually not sure what dependencyCheckAnalyze does when run on that type of build, since we always use aggregate.

I also have a completely separate single project build that fails with the same error though - it looks like any time there is a "virtual" dependency it will fail to me.

Surely the below code cannot be intentional in the differences between the 3 checksum retrieval methods? It looks like a typo on line 517 to me (and a missing test somewhere I guess...) as there is no method sha256Checksum(string) in Checksum. https://github.com/dependency-check/dependency-check-gradle/blob/820351873676644b78039ab57e5325c3b5ed8d2c/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/AbstractAnalyze.groovy#L515-L520

It's definitely pulling in the utils or otherwise line 516 would fail, rather than 517? But nevertheless:

classpath
+--- org.owasp:dependency-check-gradle:7.0.0
|    +--- org.owasp:dependency-check-core:7.0.0
|    |    +--- org.anarres.jdiagnostics:jdiagnostics:1.0.7
|    |    +--- org.whitesource:pecoff4j:0.0.2.1
|    |    +--- org.apache.commons:commons-jcs-core:2.2.1
|    |    |    \--- commons-logging:commons-logging:1.2
|    |    +--- com.github.package-url:packageurl-java:1.4.1
|    |    +--- us.springett:cpe-parser:2.0.2
|    |    |    \--- org.slf4j:slf4j-api:1.7.30 -> 1.7.36
|    |    +--- com.vdurmont:semver4j:3.1.0
|    |    +--- org.slf4j:slf4j-api:1.7.36
|    |    +--- org.owasp:dependency-check-utils:7.0.0
|    |    |    +--- commons-io:commons-io:2.11.0
|    |    |    +--- org.apache.commons:commons-lang3:3.12.0
|    |    |    +--- com.fasterxml.jackson.core:jackson-databind:2.13.1
|    |    |    |    +--- com.fasterxml.jackson.core:jackson-annotations:2.13.1
|    |    |    |    |    \--- com.fasterxml.jackson:jackson-bom:2.13.1
|    |    |    |    |         +--- com.fasterxml.jackson.core:jackson-annotations:2.13.1 (c)
|    |    |    |    |         +--- com.fasterxml.jackson.core:jackson-core:2.13.1 (c)
|    |    |    |    |         +--- com.fasterxml.jackson.core:jackson-databind:2.13.1 (c)
|    |    |    |    |         +--- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.13.1 (c)
|    |    |    |    |         +--- com.fasterxml.jackson.datatype:jackson-datatype-guava:2.13.1 (c)
|    |    |    |    |         +--- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.13.1 (c)
|    |    |    |    |         +--- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.13.1 (c)
|    |    |    |    |         \--- com.fasterxml.jackson.module:jackson-module-afterburner:2.13.1 (c)
|    |    |    |    +--- com.fasterxml.jackson.core:jackson-core:2.13.1
|    |    |    |    |    \--- com.fasterxml.jackson:jackson-bom:2.13.1 (*)
|    |    |    |    \--- com.fasterxml.jackson:jackson-bom:2.13.1 (*)
|    |    |    +--- commons-codec:commons-codec:1.15
|    |    |    \--- org.slf4j:slf4j-api:1.7.36
|    |    +--- org.apache.commons:commons-collections4:4.4
|    |    +--- org.apache.commons:commons-compress:1.21
|    |    +--- commons-io:commons-io:2.11.0
|    |    +--- org.apache.commons:commons-lang3:3.12.0
|    |    +--- org.apache.commons:commons-text:1.9
|    |    |    \--- org.apache.commons:commons-lang3:3.11 -> 3.12.0
|    |    +--- org.apache.commons:commons-dbcp2:2.9.0
|    |    |    +--- org.apache.commons:commons-pool2:2.10.0
|    |    |    \--- commons-logging:commons-logging:1.2
|    |    +--- org.apache.lucene:lucene-core:8.11.1
|    |    +--- org.apache.lucene:lucene-analyzers-common:8.11.1
|    |    |    \--- org.apache.lucene:lucene-core:8.11.1
|    |    +--- org.apache.lucene:lucene-queryparser:8.11.1
|    |    |    +--- org.apache.lucene:lucene-core:8.11.1
|    |    |    +--- org.apache.lucene:lucene-queries:8.11.1
|    |    |    \--- org.apache.lucene:lucene-sandbox:8.11.1
|    |    +--- org.apache.velocity:velocity-engine-core:2.3
|    |    |    +--- org.apache.commons:commons-lang3:3.11 -> 3.12.0
|    |    |    \--- org.slf4j:slf4j-api:1.7.30 -> 1.7.36
|    |    +--- com.h2database:h2:2.1.210
|    |    +--- org.glassfish:javax.json:1.1.4
|    |    +--- org.jsoup:jsoup:1.14.3
|    |    +--- com.fasterxml.jackson.core:jackson-databind:2.13.1 (*)
|    |    +--- com.fasterxml.jackson.module:jackson-module-afterburner:2.13.1
|    |    |    +--- com.fasterxml.jackson.core:jackson-core:2.13.1 (*)
|    |    |    \--- com.fasterxml.jackson.core:jackson-databind:2.13.1 (*)
|    |    +--- com.h3xstream.retirejs:retirejs-core:3.0.3
|    |    |    +--- com.vaadin.external.google:android-json:0.0.20131108.vaadin1
|    |    |    +--- com.esotericsoftware:minlog:1.3.1
|    |    |    \--- com.github.spullara.mustache.java:compiler:0.9.6
|    |    +--- org.sonatype.ossindex:ossindex-service-client:1.8.1
|    |    |    +--- org.sonatype.ossindex:ossindex-service-api:1.8.1
|    |    |    |    +--- org.slf4j:slf4j-api:1.7.28 -> 1.7.36
|    |    |    |    +--- com.fasterxml.jackson.core:jackson-annotations:2.9.10 -> 2.13.1 (*)
|    |    |    |    +--- javax.ws.rs:javax.ws.rs-api:2.0.1
|    |    |    |    \--- org.sonatype.goodies:package-url-java:1.1.1
|    |    |    +--- javax.inject:javax.inject:1
|    |    |    +--- org.slf4j:slf4j-api:1.7.28 -> 1.7.36
|    |    |    +--- org.slf4j:jcl-over-slf4j:1.7.28
|    |    |    |    \--- org.slf4j:slf4j-api:1.7.28 -> 1.7.36
|    |    |    +--- joda-time:joda-time:2.10.4
|    |    |    \--- com.google.code.gson:gson:2.8.5
|    |    +--- com.google.guava:guava:31.0.1-jre
|    |    |    +--- com.google.guava:failureaccess:1.0.1
|    |    |    +--- com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
|    |    |    +--- com.google.code.findbugs:jsr305:3.0.2
|    |    |    +--- org.checkerframework:checker-qual:3.12.0
|    |    |    +--- com.google.errorprone:error_prone_annotations:2.7.1
|    |    |    \--- com.google.j2objc:j2objc-annotations:1.3
|    |    +--- com.moandjiezana.toml:toml4j:0.7.2
|    |    |    \--- com.google.code.gson:gson:2.8.1 -> 2.8.5
|    |    +--- com.hankcs:aho-corasick-double-array-trie:1.2.3
|    |    +--- commons-validator:commons-validator:1.7
|    |    |    +--- commons-beanutils:commons-beanutils:1.9.4
|    |    |    |    +--- commons-logging:commons-logging:1.2
|    |    |    |    \--- commons-collections:commons-collections:3.2.2
|    |    |    +--- commons-digester:commons-digester:2.1
|    |    |    +--- commons-logging:commons-logging:1.2
|    |    |    \--- commons-collections:commons-collections:3.2.2
|    |    +--- commons-beanutils:commons-beanutils:1.9.4 (*)
|    |    \--- org.eclipse.packager:packager-rpm:0.17.0
|    |         +--- org.eclipse.packager:packager-core:0.17.0
|    |         +--- org.slf4j:slf4j-api:1.7.26 -> 1.7.36
|    |         +--- org.apache.commons:commons-compress:1.20 -> 1.21
|    |         +--- com.google.guava:guava:27.1-jre -> 31.0.1-jre (*)
|    |         \--- org.tukaani:xz:1.8
|    +--- org.owasp:dependency-check-utils:7.0.0 (*)
|    \--- net.gpedro.integrations.slack:slack-webhook:1.4.0
|         \--- com.google.code.gson:gson:2.3.1 -> 2.8.5
+--- com.github.ben-manes:gradle-versions-plugin:0.42.0
|    \--- com.thoughtworks.xstream:xstream:1.4.17
|         \--- io.github.x-stream:mxparser:1.2.1
|              \--- xmlpull:xmlpull:1.1.3.1
+--- gradle.plugin.com.hierynomus.gradle.plugins:license-gradle-plugin:0.16.1
|    +--- org.codehaus.plexus:plexus-utils:2.0.5 -> 2.0.6
|    +--- com.mycila.xmltool:xmltool:3.3
|    \--- com.mycila:license-maven-plugin:3.0
|         +--- org.apache.maven:maven-settings:3.0.4
|         |    \--- org.codehaus.plexus:plexus-utils:2.0.6
|         +--- org.apache.maven:maven-settings-builder:3.0.4
|         |    +--- org.codehaus.plexus:plexus-utils:2.0.6
|         |    +--- org.codehaus.plexus:plexus-interpolation:1.14
|         |    +--- org.codehaus.plexus:plexus-component-annotations:1.5.5
|         |    +--- org.apache.maven:maven-settings:3.0.4 (*)
|         |    \--- org.sonatype.plexus:plexus-sec-dispatcher:1.3
|         |         +--- org.codehaus.plexus:plexus-utils:1.5.5 -> 2.0.6
|         |         \--- org.sonatype.plexus:plexus-cipher:1.4
|         +--- org.springframework:spring-core:3.1.3.RELEASE
|         |    +--- org.springframework:spring-asm:3.1.3.RELEASE
|         |    \--- commons-logging:commons-logging:1.1.1 -> 1.2
|         \--- com.mycila:mycila-xmltool:4.4.ga
|              \--- org.apache.commons:commons-pool2:2.2 -> 2.10.0
+--- com.github.jk1:gradle-license-report:2.1
\--- com.github.jruby-gradle:jruby-gradle-core-plugin:2.0.2
     +--- org.ysb33r.gradle:grolifant:0.12
     |    \--- org.tukaani:xz:1.6 -> 1.8
     +--- io.github.http-builder-ng:http-builder-ng-okhttp:1.0.3
     |    +--- io.github.http-builder-ng:http-builder-ng-core:1.0.3
     |    |    +--- xml-resolver:xml-resolver:1.2
     |    |    \--- org.slf4j:slf4j-api:1.7.21 -> 1.7.36
     |    +--- com.squareup.okhttp3:okhttp:3.4.2 -> 3.5.0
     |    |    \--- com.squareup.okio:okio:1.11.0
     |    \--- com.burgstaller:okhttp-digest:1.10
     |         \--- com.squareup.okhttp3:okhttp:3.5.0 (*)
     \--- io.ratpack:ratpack-core:1.6.1
          +--- io.ratpack:ratpack-exec:1.6.1
          |    +--- io.ratpack:ratpack-base:1.6.1
          |    |    +--- com.google.guava:guava:21.0 -> 31.0.1-jre (*)
          |    |    \--- org.slf4j:slf4j-api:1.7.25 -> 1.7.36
          |    +--- org.slf4j:slf4j-api:1.7.25 -> 1.7.36
          |    +--- io.netty:netty-buffer:4.1.32.Final
          |    |    \--- io.netty:netty-common:4.1.32.Final
          |    +--- io.netty:netty-transport-native-epoll:4.1.32.Final
          |    |    +--- io.netty:netty-common:4.1.32.Final
          |    |    +--- io.netty:netty-buffer:4.1.32.Final (*)
          |    |    +--- io.netty:netty-transport-native-unix-common:4.1.32.Final
          |    |    |    +--- io.netty:netty-common:4.1.32.Final
          |    |    |    \--- io.netty:netty-transport:4.1.32.Final
          |    |    |         +--- io.netty:netty-buffer:4.1.32.Final (*)
          |    |    |         \--- io.netty:netty-resolver:4.1.32.Final
          |    |    |              \--- io.netty:netty-common:4.1.32.Final
          |    |    \--- io.netty:netty-transport:4.1.32.Final (*)
          |    \--- org.reactivestreams:reactive-streams:1.0.2
          +--- io.netty:netty-codec-http:4.1.32.Final
          |    \--- io.netty:netty-codec:4.1.32.Final
          |         \--- io.netty:netty-transport:4.1.32.Final (*)
          +--- io.netty:netty-handler:4.1.32.Final
          |    +--- io.netty:netty-buffer:4.1.32.Final (*)
          |    +--- io.netty:netty-transport:4.1.32.Final (*)
          |    \--- io.netty:netty-codec:4.1.32.Final (*)
          +--- com.sun.activation:javax.activation:1.2.0
          +--- com.github.ben-manes.caffeine:caffeine:2.6.2
          +--- org.javassist:javassist:3.22.0-GA
          +--- com.fasterxml.jackson.core:jackson-databind:2.9.8 -> 2.13.1 (*)
          +--- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.9.8 -> 2.13.1
          |    +--- com.fasterxml.jackson.core:jackson-databind:2.13.1 (*)
          |    +--- com.fasterxml.jackson.core:jackson-core:2.13.1 (*)
          |    \--- com.fasterxml.jackson:jackson-bom:2.13.1 (*)
          +--- com.fasterxml.jackson.datatype:jackson-datatype-guava:2.9.8 -> 2.13.1
          |    +--- com.fasterxml.jackson.core:jackson-core:2.13.1 (*)
          |    +--- com.fasterxml.jackson.core:jackson-databind:2.13.1 (*)
          |    \--- com.fasterxml.jackson:jackson-bom:2.13.1 (*)
          +--- org.yaml:snakeyaml:1.23
          +--- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.9.8 -> 2.13.1
          |    +--- com.fasterxml.jackson.core:jackson-core:2.13.1 (*)
          |    +--- com.fasterxml.jackson.core:jackson-databind:2.13.1 (*)
          |    \--- com.fasterxml.jackson:jackson-bom:2.13.1 (*)
          \--- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.9.8 -> 2.13.1
               +--- com.fasterxml.jackson.core:jackson-annotations:2.13.1 (*)
               +--- com.fasterxml.jackson.core:jackson-core:2.13.1 (*)
               +--- com.fasterxml.jackson.core:jackson-databind:2.13.1 (*)
               \--- com.fasterxml.jackson:jackson-bom:2.13.1 (*)
steurt commented 2 years ago

I'm running into this same issue.

chadlwilson commented 2 years ago

Thanks @jeremylong !

Skapio commented 2 years ago

Is it works for you now? @chadlwilson

Probably there is the same issue for ./gradlew dependencyCheckAnalyze.

chadlwilson commented 2 years ago

@Skapio No, I don't think a new release has been cut of the plugin yet. But a PR merge and closed issue is good nonetheless šŸ‘

It's a bit confusing though, as 7.0.0 didn't seem to be committed and tagged, even though it was released to Maven Central. I guess we are waiting for 7.0.1 or similar to appear.

jeremylong commented 2 years ago

Sorry - I forgot to push the tag when I released 7.0.0. The tag is there now. We will likely be releasing 7.0.1 within a week.

batigoal82 commented 2 years ago

So, we should wait until 7.0.1 is released? I still face the same issue with 7.0.0.

adamkis commented 2 years ago

Hello, Is 7.0.1 supposed to be released? I don't think it is. Is there a different estimated release date? Thanks for the help!

jeremylong commented 2 years ago

sorry for the delay - 7.0.1 has been released.

j-lebek commented 2 years ago

Thanks for the release of 7.0.1. I upgraded to this release yesterday. It appears a new bug has been introduced (or unveiled). The corresponding issue was reported in https://github.com/jeremylong/DependencyCheck/issues/4253 11 hours ago... šŸ˜ž