Open champaanand opened 2 weeks ago
Tried the below option as well: (all the jars are present under ./jars_3.1.3/ directory ./bin/dependency-check.sh --out . --format CSV --nvdApiKey xxxxxx --scan ./jars_3.1.3/*.jar
By default ODC will combine related JAR files. See if there are related dependencies listed.
On Tue, Sep 24, 2024, 10:22 AM champaanand @.***> wrote:
Tried the below option as well: (all the jars are present under ./jars_3.1.3/ directory ./bin/dependency-check.sh --out . --format CSV --nvdApiKey xxxxxx --scan ./jars_3.1.3/*.jar
— Reply to this email directly, view it on GitHub https://github.com/jeremylong/DependencyCheck/issues/6985#issuecomment-2371447201, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGSVQSLMOI5INASYK4AEVLZYFYRXAVCNFSM6AAAAABOYNITVWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNZRGQ2DOMRQGE . You are receiving this because you are subscribed to this thread.Message ID: @.***>
All the 26 jars are independent. (This is not jenkins integrated, we are running on the command line) Any parameter do we need to set?
did you see in the report the related JARs section(s)?
@jeremylong I don't see any column with the name related in the report.
"Project","ScanDate","DependencyName","DependencyPath","Description","License","Md5","Sha1","Identifiers","CPE","CVE","CWE","Vulnerability","Source","CVSSv2_Severity","CVSSv2_Score","CVSSv2","CVSSv3_BaseSeverity","CVSSv3_BaseScore","CVSSv3","CPE Confidence","Evidence Count","VendorProject","Product","Name","DateAdded","ShortDescription","RequiredAction","DueDate","Notes"
Searched for the missing jar names in the report, they are not found.
The CSV report is garbage for actual analysis of the CVEs and how things are reported. Look at the HTML report.
HTML report shows the related jars. CSV format is not recommended is it?
I only created the CSV report because of the many requests for it - in my opinion, it isn't useful because it is hard to determine if something is a false positive by just looking at the CSV report. Additionally, the HTML report gives you the ability to generate suppression rules in case you run into FP.
great, thanks for the response @jeremylong
Hello , We have a requirement to scan the jar files which are kept under one directory. (dependency-check version 10.0.4) Command used - ./bin/dependency-check.sh --out . --format CSV --nvdApiKey xxxxxxx --scan /root/dependency-check/jars_3.1.3
While this command shows the report/vuln for 4 jars only while I have around 26 jars in the directory jars_3.1.3.
If I run the command separately for each jar it does report the vulnerability for all the 26 jars (./bin/dependency-check.sh --out . --format CSV --nvdApiKey xxxxxxx --scan /root/dependency-check/jars_3.1.3/abs.jar
./bin/dependency-check.sh --out . --format CSV --nvdApiKey xxxxxxx --scan /root/dependency-check/jars_3.1.3/def.jar) Please let me know if there is anything missing.