You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A sub-project in my Gradle multi-project build is triggering a false positive. If the jar file for the sub project has previously been built, then a gav or packageUrl suppression prevents the false positive. If the jar does not exist in the build directory, then only an sha1 suppression works, which would need frequent maintenance during on-going development.
I am running the build using Gradle 6.6 on AdoptOpenJDK build 1.8.0_265-b01
./gradlew :dependencyCheckAggregate - build fails again
Expected behaviour:
The packageUrl suppression should work without the sub-project's jar file being present in the build directory, so all three invocations of dependencyCheckAggregate should succeed.
Work arounds
Specify an sha1 suppression. This is fragile and requires updating for every code change in the sub-project.
Add a task dependency to ensure the sub-project's jar file is built before running dependencyCheckAggregate. This makes running the check on its own take longer. E.g.
not-elasticsearch is empty, except for what is configured in the top-level build.gradle above (via the allprojects block). In other words, it has no separate build.gradle; the 3 files above are all that exist in the project.
A sub-project in my Gradle multi-project build is triggering a false positive. If the jar file for the sub project has previously been built, then a gav or packageUrl suppression prevents the false positive. If the jar does not exist in the build directory, then only an sha1 suppression works, which would need frequent maintenance during on-going development.
I am running the build using Gradle 6.6 on AdoptOpenJDK build 1.8.0_265-b01
Example build:
settings.gradle:
build.gradle:
suppressions.xml:
Steps to reproduce:
./gradlew :dependencyCheckAggregate
- build fails./gradlew jar
./gradlew :dependencyCheckAggregate
- build succeeds./gradlew cleanJar
./gradlew :dependencyCheckAggregate
- build fails againExpected behaviour:
The
packageUrl
suppression should work without the sub-project's jar file being present in the build directory, so all three invocations ofdependencyCheckAggregate
should succeed.Work arounds
sha1
suppression. This is fragile and requires updating for every code change in the sub-project.The text was updated successfully, but these errors were encountered: