Wrong supported engine versions

[fcoene]

The [2.2, 4.3] (in your plugin.xml) do not exist in OWASP Dependency Check. The latest versions are 3.3.4, 4.0.2 or 5.0.0-M3 (https://github.com/jeremylong/DependencyCheck/releases). Which version is the plugin written for? I can't get it to parse 5.0.0-M3 or 4.0.2 scan.json files.

[skamani]

I will have to double check my notes from when I wrote the parser. It was the latest version at the time, close to June 2018. I’ll have to pull my working environment off a hard disk backup and check. I’ll let you know in a couple of days.

Thanks.

Sent from my iPhone

On May 16, 2019, at 4:16 AM, fcoene notifications@github.com wrote:

The [2.2, 4.3] (in your plugin.xml) do not exist in OWASP Dependency Check. The latest versions are 3.3.4, 4.0.2 or 5.0.0-M3 (https://github.com/jeremylong/DependencyCheck/releases). Which version is the plugin written for? I can't get it to parse 5.0.0-M3 or 4.0.2 scan.json files.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[fcoene]

FYI, after testing it on different environments, it seems the plugin does work with the latest scan versions but it fails on SSC servers with an Oracle backend due to more strict parameter types & automatic conversions.

[skamani]

Interesting. That seems like an API issue in SSC. Can you send me some info regarding the errors? I can see if it needs Fortify Engineering attention.

Thanks.

Sent from my iPhone

On May 20, 2019, at 4:25 AM, fcoene notifications@github.com wrote:

FYI, after testing it on different environments, it seems the plugin does work with the latest scan versions but it fails on SSC servers with an Oracle backend due to more strict parameter types & automatic conversions.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[fcoene]

The scan processing fails on a "org.hibernate.engine.jdbc.spi.SqlExceptionHelper" error due to an Oracle ORA-06553 PLS-306 "wrong number or types of arguments in call to UPDATEEXISTINGWITHLATEST" exception.

[fcoene]

I solved it. It turns out that your plugin doesn't really parse the scanDate. The scanDate case label is never hit as it is embedded under the projectInfo json block, so I think it stays uninitialized. It seems that mysql has no problem saving this but Oracle does. When you look at the engineVersion, it is embedded in the scaninfo block, so you have a function to extract it. scanDate is also embedded in a json block (projectInfo), so you need a function to extract this as well.