You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
When running version 6.1.5 of the CLI OWASP dependency checker, the bundle-audit results are not included. In the logs, I can see bundle-audit is run but the Gemfile.lock in the generated report always shows 0 vulnerabilities despite manual runs of bundle-audit indicating there are vulnerabilities. Other vulnerabilities in Javascript code are reported correctly.
Version of dependency-check used
The problem occurs using version 6.1.5 of the CLI
[INFO] Launching: [bundle-audit, version] from /home/app
[WARN] Warnings from bundle-audit
[INFO] Ruby Bundle Audit Analyzer is enabled and is using bundle-audit with version details: bundler-audit 0.8.0
. Note: It is necessary to manually run "bundle-audit update" occasionally to keep its database up to date.
[WARN] Did not find org.owasp.dependencycheck.analyzer.RubyGemspecAnalyzer.
[INFO] Launching: [bundle-audit, check, --verbose] from /home/app
[INFO] Launching: [bundle-audit, check, --verbose] from /home/app
[INFO] Launching: [bundle-audit, check, --verbose] from /home/app
[WARN] Warnings from bundle-audit
[WARN] Warnings from bundle-audit
[WARN] Warnings from bundle-audit
[INFO] Finished Ruby Bundle Audit Analyzer (0 seconds)
This seems similar to #1086 but this is not a Rails app. There is only one Gemfile.lock in the /home/app directory.
To Reproduce
Steps to reproduce the behavior:
Download and extract dependency-check CLI
Install bundle-audit (gem install bundle-audit), verify that bundle-audit can be run manually
Execute bundle-audit update to pull latest report DB
Expected behavior
The dependency check reports should also include the results from bundle-audit
Additional context
I don't think it would matter, but this is being run inside a docker container. None of the directories being scanned are volume mounted and the CLI script is being invoked by the user that owns /home/app
The text was updated successfully, but these errors were encountered:
Sorry about that... Can't believe I used a while (bufferedReader.ready()) to test if we should continue to read from the stream.... The fix will be included in the next release.
Describe the bug
When running version 6.1.5 of the CLI OWASP dependency checker, the bundle-audit results are not included. In the logs, I can see bundle-audit is run but the Gemfile.lock in the generated report always shows 0 vulnerabilities despite manual runs of bundle-audit indicating there are vulnerabilities. Other vulnerabilities in Javascript code are reported correctly.
Version of dependency-check used
The problem occurs using version 6.1.5 of the CLI
Log file
https://gist.github.com/conman2305/e015cf818aa0d1618fce980769c903bb
I think (?) the issue might be here:
This seems similar to #1086 but this is not a Rails app. There is only one
Gemfile.lock
in the /home/app directory.To Reproduce
Steps to reproduce the behavior:
gem install bundle-audit
), verify that bundle-audit can be run manuallybundle-audit update
to pull latest report DB/tmp/owasp/dependency-check/bin/dependency-check.sh --project "$PROJECT_NAME" --scan "$(pwd)" --bundleAuditWorkingDirectory "$(pwd)" -o /opt/output -l log --disableYarnAudit
Expected behavior
The dependency check reports should also include the results from bundle-audit
Additional context
I don't think it would matter, but this is being run inside a docker container. None of the directories being scanned are volume mounted and the CLI script is being invoked by the user that owns
/home/app
The text was updated successfully, but these errors were encountered: