brabster
commented
7 years ago Output looks like:
"Generating report..." "Done." Exception in thread "main" clojure.lang.ExceptionInfo: Vulnerable Dependencies! {:vulnerable ({:dependency #object[org.owasp.dependencycheck.dependency.Dependency 0x67fe380b "Dependency{ fileName='jackson-core-2.8.6.jar', actualFilePath='/home/paul/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.8.6/jackson-core-2.8.6.jar', filePath='/home/paul/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.8.6/jackson-core-2.8.6.jar', packagePath='/home/paul/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.8.6/jackson-core-2.8.6.jar'}"], :vulnerabilities #{#object[org.owasp.dependencycheck.dependency.Vulnerability 0x4a325eb9 "Vulnerability CVE-2016-7051\nReferences:\n=> Reference: { name='97688', url='http://www.securityfocus.com/bid/97688', source='BID' }\n=> Reference: { name='https://bugzilla.redhat.com/show_bug.cgi?id=1378673', url='https://bugzilla.redhat.com/show_bug.cgi?id=1378673', source='CONFIRM' }\n\nSoftware:\n=> VulnerableSoftware{cpe:/a:fasterxml:jackson:-[null]}\n"]}})}, compiling:(/tmp/form-init6839563366109141879.clj:1:73)
Not the most readable output, but I think using the toString methods provided by the lib is a good idea, and the output now has the CVE numbers and references you need to go track down the specifics
dgknght
Augment the exception and log output to include details of the vulnerabilities found, not just the dependendencies that have vulnerabilities. This is useful when trying to assess the impact of a vulnerability.
Bumped version to 0.2.2-SNAPSHOT, bumped versions in docs assuming release will be 0.2.2