dependencyCheckAggregate reports vulnerabilities in sibling submodules

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

https://owasp.org/www-project-dependency-check/

Apache License 2.0

6.42k stars 1.28k forks source link

dependencyCheckAggregate reports vulnerabilities in sibling submodules #1628

Open skjolber opened 5 years ago

skjolber commented 5 years ago

Submodule sibling projects vulnerabilities seem to 'travel in reverse' for the 'dependencyCheckAggregate' command. So when A depends on B, B gets vulnerabilities found in A.

Reporting Bugs/Errors

See example setup and output at https://github.com/skjolber/gradle-foss-library-template/pull/2

Example

A security issue in :examples:my-jwt-framework-support-example (subproject.build.gradle) seems to be reported in my-jwt.

jeremylong commented 5 years ago

Thanks for reporting this. The original implementation was designed to be used to scan the entire project and get a single report. It should not be hard to clean this up so we don't always traverse to the root pom.

skjolber commented 5 years ago

@jeremylong any progress on this? We have a few multimodule gradle projects, and are now forced to use the alternative dependencyCheckAnalyze task; however this results in reports in the subsproject instead of under the root project, thus our continous integration (CircleCI) must be configured per project.