nhumblot
commented
3 weeks ago Hi!
Thank you for raising this issue you are facing. Based on the pom.xml provided, displaying the parent pom, and without the sub-modules POMs, I suspect you do not have any specific configuration declared in your sub-module POMs.
If you look at your POM, you specified a 9.1.0 OWASP DependencyCheck version:
<reporting>
<plugins>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>9.1.0</version>
<configuration>
<yarnAuditAnalyzerEnabled>false</yarnAuditAnalyzerEnabled>
</configuration>
<reportSets>
<reportSet>
<reports>
<report>aggregate</report>
</reports>
</reportSet>
</reportSets>
</plugin>
</plugins>
</reporting>But if you look at your logs, this is the 8.2.1 version which is fetched.
mvn org.owasp:dependency-check-maven:check
[INFO] Scanning for projects...
[INFO]
[INFO] ----------------< za.co.ndutoit:test-simple-cdk-stack >-----------------
[INFO] Building test-simple-cdk-stack 1.0.0
[INFO] from pom.xml
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- dependency-check:8.2.1:check (default-cli) @ test-simple-cdk-stack ---This is because when executing your Maven command : mvn org.owasp:dependency-check-maven:check, you are not picking a plugin, and its configuration, declared in the reporting section but one declared in the build section.
I would suggest you to come with the following declaration in your parent-pom:
<build>
<pluginManagement>
<plugins>
<!-- -->
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>9.1.0</version>
<configuration>
<yarnAuditAnalyzerEnabled>false</yarnAuditAnalyzerEnabled>
</configuration>
</plugin>
</plugins>
</pluginManagement>
</build>
<reporting>
<plugins>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<reportSets>
<reportSet>
<reports>
<report>aggregate</report>
</reports>
</reportSet>
</reportSets>
</plugin>
</plugins>
</reporting>This way, when executing the mvn org.owasp:dependency-check-maven:check command, all your POMs will pick the configuration declared into the <pluginManagement> section and should get the configuration to not execute the Yarn Analyzer.
More information: Using the \<reporting> Tag VS \<build> Tag
mvn aplugin:areportgoal It ignores the parameters defined in the
element of each reporting Plugin specified in the element; only parameters defined in the element of each plugin specified in are used.
Could you tell me if you see any improvement by doing this?
dutoitns
Describe the bug When I run the dependency-check-maven plugin one of my Maven modules suddenly seems to trigger something to do with Yarn and making the execution of the dependency-check-maven plugin fail. It fails with the following error: IOException: Cannot run program "yarn": CreateProcess error=2, The system cannot find the file specified I modified my Maven pom.xml file to configure "yarnAuditAnalyzerEnabled" to false, but it still seems to be looking for Yarn and failing. I'm not sure why this specific module is triggering this yarn-stuff... I looked for some hidden build artifacts in the module but couldn't find anything. I know one can also configure "pathToYarn" but I don't want to do that = I just want to disable something successfully so that I can continue...
Version of dependency-check used 9.1.0
Log file gist: my maven build file for that module gist: error on executing the maven build
To Reproduce Steps to reproduce the behavior:
Expected behavior I expect the depency-check-maven plugin to execute successfully and to not try and execute anything using Yarn when I've configured "yarnAuditAnalyzerEnabled" to false.
Additional context N/A