search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.39k stars 1.27k forks source link

Missing of package org.owasp.dependencycheck.data.knownexploited #6903

Closed CH3SCN closed 2 months ago

CH3SCN commented 2 months ago

I am studying the codes and structure of the DependencyCheck program. However, I found the package org.owasp.dependencycheck.data.knownexploited missing so that the codes can't be successfully compiled. Could you please tell me how to get this package, or methods to dynamically link this package. Because this package is imported in multiple classes such as: public void updateKnownExploitedVulnerabilities( List<org.owasp.dependencycheck.data.knownexploited.json.Vulnerability> vulnerabilities) throws DatabaseException, SQLException { try (Connection conn = databaseManager.getConnection(); PreparedStatement mergeKnownVulnerability = getPreparedStatement(conn, MERGE_KNOWN_EXPLOITED)) { int ctr = 0; for (org.owasp.dependencycheck.data.knownexploited.json.Vulnerability v : vulnerabilities) { mergeKnownVulnerability.setString(1, v.getCveID()); addNullableStringParameter(mergeKnownVulnerability, 2, v.getVendorProject()); addNullableStringParameter(mergeKnownVulnerability, 3, v.getProduct()); addNullableStringParameter(mergeKnownVulnerability, 4, v.getVulnerabilityName()); addNullableStringParameter(mergeKnownVulnerability, 5, v.getDateAdded()); addNullableStringParameter(mergeKnownVulnerability, 6, v.getShortDescription()); addNullableStringParameter(mergeKnownVulnerability, 7, v.getRequiredAction()); addNullableStringParameter(mergeKnownVulnerability, 8, v.getDueDate()); addNullableStringParameter(mergeKnownVulnerability, 9, v.getNotes()); if (isBatchInsertEnabled()) { mergeKnownVulnerability.addBatch(); ctr++; if (ctr >= getBatchSize()) { mergeKnownVulnerability.executeBatch(); ctr = 0; } } I will greatly appreciate it if you could give me a hand.

jeremylong commented 2 months ago

How did you try to compile the code? Did you look at: https://github.com/jeremylong/DependencyCheck?tab=readme-ov-file#development-usage

Just running the following should work and would generate the missing classes:

mvn package

Lastly, if you really want to know where the code generation occurs - look at https://github.com/jeremylong/DependencyCheck/blob/dbe0d7999064ffe84954befef0b18d146a098f00/core/pom.xml#L129-L133

jeremylong commented 2 months ago

I actually just ran into this - a java package was moved with Java 11. I'll push a fix soon.