-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Regression: DependencyCheck is once again Maven 3.1+ only #1313
Comments
Related to #1054 @jeremylong why did you go back to 3.1.0 rather than 3.0.0 (AFAICT before that DC was compatible with 3.0 series of Maven and even now the prerequisite of DC maven plugin states that it requires a minimum Maven version of 3.0.0) |
Dependency-check requires at least Maven 3.1. This is clearly listed in the documentation: https://jeremylong.github.io/DependencyCheck/dependency-check-maven/index.html. When you say the DC maven plugin states it requires a minimum Maven version of 3.0.0 - I'm assuming you are talking about the I believe when trying to solve some dependency resolution errors we ended up having to use the 3.1 API. |
To add - yes, dependency-check previously "worked" with Maven 3.0. To be able to support new versions of Maven we ended up needing to use the 3.1 API. |
The prerequisites is the way for a plugin to indicate the required maven to run the plugin, see The abuse of it to (also) indicate the Maven required to build the project is what is deprecated. I have not seen any issues for the newer versions of Maven with the 3.0 series of the API (been running DC 3.0.1 with a mixture of Maven 3.0.x, 3.3.x and 3.5.x) . What issues were there with the 3.0 series API? (AFAIK the only potential downside is not being able to benefit from new additions to the API in our plugin) In the past there used to be the org.eclipse vs org.sonatype issue, but that has been fixed with the use of Maven's own 'multi-maven capable magic' libraries for the dependency resolution parts of Maven. |
The maven plugin that most closely resembles the requirements that DC has on Maven still uses the 3.0 API in there latest version: So I fail to see how (if properly coded) the DependencyCheck maven plugin would fail to work correctly in modern Maven versions due to the 3.0 API dependency. |
Hans - I apologize. I really shouldn't answer your questions/issues until I've had more coffee and can be sure I'm giving a 100% correct answer. I truly appreciate all the assistance you've given to this project; answering questions, providing PRs, etc. We wouldn't be where we are without your contributions. So back to the 3.1.0 vs. 3.0.x - reverting to 3.0.5 is easy (I'd rather not go below that due to CVE-2013-0253. However, there appear to have been changes to the logging system from 3.0 to 3.1. While the branch I created maven3.0.5 works in 3.0.5; it doesn't write any debugging or info information to the log. |
See the info on logging here: https://maven.apache.org/maven-logging.html |
I see, that makes it worse to support below maven 3.1 indeed. The good part is that there is a workaround possible, however I'm not sure if we should really go into that direction to retain compatibility with Maven 3.0.x To get (debug) logging working on maven 3.0.5:
So feel free to close it as a "won't fix" if you agree that we should not use such wizardry to keep it running on maven 3.0.x (the only item that needs fixing in that case is that the 'prerequisites' should be configured for the correct Maven version, which you already did on master (although the code on the branch, using the maven api version property is the better (future-proof) alternative)). |
I would rather not support the 3.0 version of Maven. However, we are now using the maven api version property for the |
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
As discovered in one of our builds after upgrading from DependencyCheck 3.0.1 to 3.2.1 DependencyCheck has again received some direct dependencies on org.eclipse.aether libraries which causes it to fail when executed on Maven 3.0.
In the past I fixed it this to allow us to upgrade to the latest DependencyCheck and benefit from all other improvements, but since then apparently a regression has entered the maven plugin. Will look into this one myself to see where it was introduced and whether a fix can be made to re-enables running DependencyCheck with maven 3.0.
We have stable projects whose results run in production that require maven 3.0 due to other plugins. We build them periodically to ensure that the build is still stable and none of the used dependencies have known vulnerabilities, but we prefer to not update those projects until functional features are to be added or vulnerabilities are to be fixed. So retaining compatibility with Maven 3.0 is very desirable to us.
The (redacted) symptom indicating the incompatiblity from our Jenkins buildlog:
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:3.2.1:check (default) on project ********: A type incompatibility occured while executing org.owasp:dependency-check-maven:3.2.1:check: org.sonatype.aether.util.DefaultRepositorySystemSession cannot be cast to org.eclipse.aether.RepositorySystemSession
The text was updated successfully, but these errors were encountered: