search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.47k stars 1.29k forks source link

dependency-check 11.1.0 returns 0 dependencies on a local bitbucket repo #7172

Open czaczaja opened 5 days ago

czaczaja commented 5 days ago

Trying to scan a local repository with the following command:

dependency-check.bat --project "EPG" --nvdApiKey xxx --scan "C:\Users\xxx\Documents\WORK\Repos\xxx-sps_epg-body-616e81a81488\xxx-sps_epg-body-616e81a81488\" -o C:\Users\xxx\Documents\WORK\Repos\epg.html**

OUTPUT:

[INFO] Analysis Started [INFO] Finished File Name Analyzer (0 seconds) [INFO] Finished Dependency Merging Analyzer (0 seconds) [INFO] Finished Hint Analyzer (0 seconds) [INFO] Finished Version Filter Analyzer (0 seconds) Nov 20, 2024 10:49:02 A.M. org.apache.lucene.store.MemorySegmentIndexInputProvider INFO: Using MemorySegmentIndexInput with Java 21 or later; to disable start with -Dorg.apache.lucene.store.MMapDirectory.enableMemorySegments=false Nov 20, 2024 10:49:02 A.M. org.apache.lucene.internal.vectorization.VectorizationProvider lookup WARNING: Java vector incubator module is not readable. For optimal vector performance, pass '--add-modules jdk.incubator.vector' to enable Vector API. [INFO] Created CPE Index (1 seconds) [INFO] Finished CPE Analyzer (1 seconds) [INFO] Finished False Positive Analyzer (0 seconds) [INFO] Finished NVD CVE Analyzer (0 seconds) [INFO] Finished Sonatype OSS Index Analyzer (0 seconds) [INFO] Finished Vulnerability Suppression Analyzer (0 seconds) [INFO] Finished Known Exploited Vulnerability Analyzer (0 seconds) [INFO] Finished Dependency Bundling Analyzer (0 seconds) [INFO] Finished Unused Suppression Rule Analyzer (0 seconds) [INFO] Analysis Complete (1 seconds)

The created document contains no dependencies:

dependency-check version: 11.1.0 Report Generated On: Tue, 19 Nov 2024 15:41:14 GMT Dependencies Scanned: 0 (0 unique) Vulnerable Dependencies: 0 Vulnerabilities Found: 0 Vulnerabilities Suppressed: 0

aikebah commented 5 days ago

It simply means your folder contains no supported filetypes for identifying dependencies.

Given your folder structure with Repos in it it looks like you're scanning the raw bitbucket repositories storage location rather than a checked-out revision of your projects.

If that's the case I'm not surprised at all, as I can easily guess that bitbucket's backend storage will not use the actual filenames/files, but use more optimal storage files for storing your revisions.