How to exclude file extension while running dependency-check

[mrrobinhood996]

Hi, Is it possible to exclude file extension while running dependency-check since it can't process some of the file types. For example, I'm running into an error while scan a zip file that in the scanning directory. Output: [INFO] Analysis Started [WARN] Exception extracting archive 'testZip_absolutePath.zip'. [WARN] Exception extracting archive 'testZip_relative.zip'. [WARN] An unexpected error occurred during analysis of 'C:\Users*\Desktop\Code Reposition*\t\src\test\resources\test-data\testZip_zeroByte.zip' (Archive Analyzer): Illegal char < > at index 4: dang erous.pl [WARN] Exception extracting archive 'testZip_overlappingNames.zip'. [ERROR] java.nio.file.InvalidPathException: Illegal char < > at index 4: dang erous.pl at sun.nio.fs.WindowsPathParser.normalize(Unknown Source) at sun.nio.fs.WindowsPathParser.parse(Unknown Source) at sun.nio.fs.WindowsPathParser.parse(Unknown Source) at sun.nio.fs.WindowsPath.parse(Unknown Source) at sun.nio.fs.WindowsFileSystem.getPath(Unknown Source) at sun.nio.fs.AbstractPath.resolve(Unknown Source) at org.owasp.dependencycheck.analyzer.ArchiveAnalyzer.extractArchive(ArchiveAnalyzer.java:580) at org.owasp.dependencycheck.analyzer.ArchiveAnalyzer.extractFiles(ArchiveAnalyzer.java:446) at org.owasp.dependencycheck.analyzer.ArchiveAnalyzer.extractAndAnalyze(ArchiveAnalyzer.java:286) at org.owasp.dependencycheck.analyzer.ArchiveAnalyzer.analyzeDependency(ArchiveAnalyzer.java:268) at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131) at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88) at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37) at java.util.concurrent.FutureTask.run(Unknown Source) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) [INFO] Finished Archive Analyzer (0 seconds) [INFO] Finished File Name Analyzer (0 seconds) [INFO] Finished Dependency Merging Analyzer (0 seconds) [INFO] Finished Version Filter Analyzer (0 seconds) [INFO] Finished Hint Analyzer (0 seconds) [INFO] Created CPE Index (1 seconds) [INFO] Finished CPE Analyzer (1 seconds) [INFO] Finished False Positive Analyzer (0 seconds) [INFO] Finished NVD CVE Analyzer (0 seconds) [WARN] Unable to determine Package-URL identifiers for 1 dependencies [INFO] Finished Sonatype OSS Index Analyzer (0 seconds) [INFO] Finished Vulnerability Suppression Analyzer (0 seconds) [INFO] Finished Dependency Bundling Analyzer (0 seconds) [INFO] Analysis Complete (1 seconds) [INFO] Writing report to: C:\Users*\Desktop\Code Reposition*\.\dependency-check-report.html [ERROR] Illegal char < > at index 4: dang erous.pl

[jeremylong]

Sorry for the delay - if using the CLI you can try --exclude **/*.zip

[dicer]

How about in maven? I have a maven-ant-tasks-2.1.3.jar file in some project (not a maven dep, but the actual jar file) and I want to exclude it from scanning. I tried

<configuration>
    <excludes>
        <exclude>**/maven-ant-tasks-2.1.3**</exclude>
    </excludes>
</configuration>

but it still gets picked up:

maven-ant-tasks-2.1.3.jar/META-INF/maven/org.codehaus.plexus/plexus-utils/pom.xml (pkg:maven/org.codehaus.plexus/plexus-utils@1.5.15) : CVE-2017-1000487, Directory traversal in org.codehaus.plexus.util.Expand, Possible XML Injection
maven-ant-tasks-2.1.3.jar (pkg:maven/org.apache.maven/maven-ant-tasks@2.1.3, cpe:2.3:a:apache:ant:2.1.3:*:*:*:*:*:*:*, cpe:2.3:a:tasks:tasks:2.1.3:*:*:*:*:*:*:*) : CVE-2020-22475

**/maven-ant-tasks** and **/maven-ant-tasks-2.1.3.jar also don't work

[jeremylong]

See the scanSet configuration: https://jeremylong.github.io/DependencyCheck/dependency-check-maven/configuration.html

The excludes is for maven artifacts - if it is not a maven artifact then using exclude won't work. However, adjusting the scanSet so that it is not included should.