search

dependency-check / dependency-check-gradle

The dependency-check gradle plugin is a Software Composition Analysis (SCA) tool that allows projects to monitor dependent libraries for known, published vulnerabilities.
http://jeremylong.github.io/DependencyCheck/
Apache License 2.0
361 stars 93 forks source link

Using multiple suppression file with suppressionFiles of DependencyCheckExtension is not working anymore in 8.0.1 #318

Closed jandry closed 1 year ago

jandry commented 1 year ago

In 7.3.0 I was using following syntax to use multiple suppression files to configure via the DependencyCheckExtension in kotlin gradle syntax

suppressionFiles = listOf("owasp-dependencycheck-global-suppression.xml", "$rootDir/owasp-dependencycheck-suppression.xml")

In 8.0.1 I got an error at compilation time of my plugin using this syntax: "Val cannot be reassigned"

I tried setSuppressionFiles(arrayOf("owasp-dependencycheck-global-suppression.xml", "$rootDir/owasp-dependencycheck-suppression.xml")) It's compiling but I got an issue at usage

InitializationException: Warn initializing the suppression analyzer: Failed to load [owasp-dependencycheck-global-suppression.xml, /Users/.../owasp-dependencycheck-suppression.xml], caused by Unable to read suppression file. caused by SuppressionParseException: Failed to load [owasp-dependencycheck-global-suppression.xml, /Users/.../owasp-dependencycheck-suppression.xml], caused by Unable to read suppression file.

individually using suppressionFile they both work (as they where in 7.3.0)

What am I doing wrong ? I can't find any exemple on google or documentation on this syntax

jandry commented 1 year ago

I think it's due to following commit https://github.com/dependency-check/dependency-check-gradle/commit/92561eb480e603e32bc4e02d9321e69ccb764d08#diff-33401f36feba67fe4a00b8d43f7fadd7932c0a858a088fb971f6df2a32f3c5fb

-    List<String> suppressionFiles = []
+   Collection<String> suppressionFiles;
+
+   public void setSuppressionFiles(java.lang.Object[] files) {
+       if (files != null) {
+           suppressionFiles = Arrays.stream(files).map({ o -> o.toString() }).collect(Collectors.toSet())
+       }
+   }
jeremylong commented 1 year ago

As the suppressionFiles is a List<String> have you considered trying to use listOf instead of arrayOf?

jandry commented 1 year ago

Thanks for your answer and your great tool

I forgot to write it but I tried listOf and mutableListOf for the setSuppressionFiles. I got same exception.

I just re double check and still true

jeremylong commented 1 year ago

Should be fixed with 8.0.2 - which is currently being released...

jandry commented 1 year ago

I tested with 8.0.2, all goes well. Thanks a lot