Does not work for multimodule project #2
Comments
|
The Dependency-Check report must exist in the workspace that is being scanned. By default, the Dependency-Check Sonar plugin will use 'dependency-check-report.xml' if sonar.dependencyCheck.reportPath is not specified. You may have to specify sonar.dependencyCheck.reportPath if the report is in a subdirectory or has another name. |
|
A report is not generated when no dependencies were found. This consequently breaks the sonar plugin, as it always expects the XML file. |
|
Maybe I've configured it incorrectly. In our corporate parent pom, I've configured the reporting section something like this <reporting>
<plugins>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<reportSets>
<reportSet>
<reports>
<report>check</report>
<report>aggregate</report>
</reports>
</reportSet>
</reportSets>
<configuration>
<skipProvidedScope>true</skipProvidedScope>
<format>ALL</format>
</configuration>
</plugin>
</plugins>
</reporting>A typical project has a parent (that inherits from the corporate parent pom) and then a ear and war module. Both ear and war have dependencies, the project pom does not. After doing a site build, a listing of the dependency check created artifacts look like this |
|
I checked in a fix for a defect I discovered that would produce the 'does not exist' message when no report was specified or existed. d7fc427 I've tested it using a Sonar config similar to the following: sonar.modules=parent,module1,module2 In this scenario, the aggregated Dependency-Check report will show up in the 'parent' module. Not sure if there's a better way to do this or not. Test the code in the master branch and see if that solves the reported issue. |
…nalyzed contains a dependency check report file and will fail if it doesn't.
Thanks so much for all the work. |
|
I've never see both check and aggregate in the same config like that. I typically use the check goal in The aggregate will produce the report in ./target/site. This is the aggregate config I usually use: <reporting>
<plugins>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>1.2.11</version>
<reportSets>
<reportSet>
<reports>
<report>aggregate</report>
</reports>
</reportSet>
</reportSets>
<configuration>
<format>ALL</format>
</configuration>
</plugin>
</plugins>
</reporting> |
|
So maybe I'm trying to do something that's not possible (yet). Our setup is that we have one corporate parent pom that configures all plugins, reports, etc. Then ~150 projects inherit from that with 3-25+ modules per project. That way each project typically only has to specify their dependencies. |
|
What you're attempting to do should be possible and in fact is a very common way to standardize and simplify Maven builds. From the file listing you provided, it appears that the XML report is not being generated in ./target/site like it should be. This is unusual and I'm unable to reproduce this. If you're having difficulties producing the report, you may want to head over to https://github.com/jeremylong/DependencyCheck/issues or https://groups.google.com/forum/#!forum/dependency-check and ask around. When you're at a point where the report is being produced, go ahead and try the sonar plugin again and let me know if you have any issues. |
|
I've tested the plugin with multiple multi-module projects and the current release appears to work. I'm closing the ticket. If you experience issues again with multi-module projects not working, feel free to reopen the ticket. |
The sonar:sonar step will fail on a multimodule project where the top level has packaging of "pom"
You get an error like this:
Failed to execute goal org.codehaus.mojo:sonar-maven-plugin:2.6:sonar (default-cli) on project MyTopModuleName: Dependency-Check report does not exist. Please check property sonar.dependencyCheck.reportPath: dependency-check-report.xml
The text was updated successfully, but these errors were encountered: