search

dependency-check / dependency-check-gradle

The dependency-check gradle plugin is a Software Composition Analysis (SCA) tool that allows projects to monitor dependent libraries for known, published vulnerabilities.
http://jeremylong.github.io/DependencyCheck/
Apache License 2.0
361 stars 93 forks source link

PGP Verification Failed #274

Open NickPadilla opened 2 years ago

NickPadilla commented 2 years ago

Hello,

I am using Gradle 7.4 and dependencycheck 7.1.1

The verification failed for the POM 

      <component group="org.owasp" name="dependency-check-gradle" version="7.1.1">
         <artifact name="dependency-check-gradle-7.1.1.pom">
            <ignored-keys>
               <ignored-key id="259a55407dd6c00299e6607effde55be73a2d1ed" reason="PGP verification failed"/>
            </ignored-keys>
            <sha256 value="8874490cd13af261f2e4c409a7dc7bd949a630c4082f7d33069fa1e6f579970e" origin="Generated by Gradle because PGP signature verification failed!"/>
         </artifact>
      </component>

the key in use appears to be the right key, but when we compute the sha256 we get a different value than is provided for the dependency-check-gradle-7.1.1.pom 

$ shasum -a 256 dependency-check-gradle-7.1.1.pom 
8874490cd13af261f2e4c409a7dc7bd949a630c4082f7d33069fa1e6f579970e  dependency-check-gradle-7.1.1.pom

This is from maven...

curl -X GET "https://repo1.maven.org/maven2/org/owasp/dependency-check-gradle/7.1.1/dependency-check-gradle-7.1.1.pom.sha256"                                                             
09b6282b5af38b54e0fa661628b151592b981a6846b2aa598655c0f8b893086a

I am unsure as to why only this one file has a different sha256, the rest of the files appear to be valid. Any ideas on cause and a solution?

NickPadilla commented 2 years ago

Going to check and see if it is possibly the maven mirror that I causing issues.

jeremylong commented 2 years ago

I love gradle sometimes...

Anyone know what to fix in the build.gradle so that these files match going forward?