"Found 0 vulnerabilities in project" message does not tell how many artifacts have been scanned

[veita]

Describe the bug After update from Gradle plugin version 6.4.1.1 to 8.2.1 for some reason all previously reported vulnerabilities disappeared. In the build log the message

[16:51:59] :     [Step 5/6] > Task :modules:test-external-dependencies:dependencyCheckAnalyze
[16:51:59] :     [Step 5/6] Generating report for project test-external-dependencies
[16:52:00] :     [Step 5/6] Found 0 vulnerabilities in project test-external-dependencies

appeared.

Unfortunately, from this message one cannot know if there are no vulnerabilities (which I doubt) or if no vulnerabilities have been found because nothing has been scanned (e.g. due to a misconfiguration of the plugin).

Version of dependency-check used The problem occurs using version 8.2.1 of the gradle plugin.

Expected behavior The plugin should not only report how many vulnerabilities have been found, but also how many artifacts have been scanned.

[aikebah]

It will tell you in the reports how many dependencies in total were scanned

[veita]

In Teamcity's tests view there is no indication that anything might have gone wrong. But your are correct, in the native dependency check "Dependencies Scanned" are shown.

[aikebah]

Gut feel: TeamCity in your setup uses the JUnit report, which only contains the found vulnerabilities. If TeamCity would display in some way the results from the XML-, JSON- or SARIF-report the full dependecy information would be available.

Edit: even the JUnit report contains all dependencies. No clue why your TeamCity setup would not show the 'passing' testsuites (which are the dependencies with no found vulnerabilities)