Closed ryanhamilton closed 6 months ago
Did you look at the Java version in your call to gradle -version
? From your output: JVM: 1.8.0_211
Gradle is using Java 8 update 211.
My bad. Thanks Jeremy.
FYI I've tried working with Synapsys blackduck and jfrog xray to perform CVE scans both have been terrible experiences. Yours was the only tool that worked well.
Blackduck literally know they show a lot of false positives for large java frameworks (https://community.synopsys.com/s/article/General-guidance-about-multiple-false-positives-from-Black-Duck-scan) " there are components that come from large frameworks (such as Java, OpenSSL, etc) which are commonly impacted by false positives" "For these cases, we generally recommend ignoring the component ".
JFrog marked my jar as fine and never detected any packages.
Perhaps consider starting a commercial offering :)
Describe the bug "Non-supported Java Runtime: dependency-check requires at least Java 8 update 251 or higher." When I am running java 9. The attempt to parse the java version seems a worse idea than just letting the code fail or using reflection to check if it exists.
Version of dependency-check used classpath 'org.owasp:dependency-check-gradle:9.0.9'
Log file
Code: https://github.com/jeremylong/DependencyCheck/blob/5df22e2a86ecef5822239122958403363f347641/core/src/main/java/org/owasp/dependencycheck/Engine.java#L1296