New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dependency-check-maven's yarnAuditAnalyzerEnabled doesn't work #6619
Comments
Hi! Thank you for raising this issue you are facing. Based on the If you look at your POM, you specified a <reporting>
<plugins>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>9.1.0</version>
<configuration>
<yarnAuditAnalyzerEnabled>false</yarnAuditAnalyzerEnabled>
</configuration>
<reportSets>
<reportSet>
<reports>
<report>aggregate</report>
</reports>
</reportSet>
</reportSets>
</plugin>
</plugins>
</reporting> But if you look at your logs, this is the
This is because when executing your Maven command : I would suggest you to come with the following declaration in your parent-pom: <build>
<pluginManagement>
<plugins>
<!-- -->
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>9.1.0</version>
<configuration>
<yarnAuditAnalyzerEnabled>false</yarnAuditAnalyzerEnabled>
</configuration>
</plugin>
</plugins>
</pluginManagement>
</build>
<reporting>
<plugins>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<reportSets>
<reportSet>
<reports>
<report>aggregate</report>
</reports>
</reportSet>
</reportSets>
</plugin>
</plugins>
</reporting> This way, when executing the More information: Using the <reporting> Tag VS <build> Tag
Could you tell me if you see any improvement by doing this? |
Thank you - that was the issue. After making the changes you recommended everything worked 😀 I was looking at the second example in the documentation here and didn't realize that I still needed to define the build plugin (it just shows the reporting plugin section) Thank you for your help - much appreciated 🙏 |
Describe the bug
When I run the dependency-check-maven plugin one of my Maven modules suddenly seems to trigger something to do with Yarn and making the execution of the dependency-check-maven plugin fail. It fails with the following error:
IOException: Cannot run program "yarn": CreateProcess error=2, The system cannot find the file specified
I modified my Maven pom.xml file to configure "yarnAuditAnalyzerEnabled" to false, but it still seems to be looking for Yarn and failing. I'm not sure why this specific module is triggering this yarn-stuff... I looked for some hidden build artifacts in the module but couldn't find anything. I know one can also configure "pathToYarn" but I don't want to do that = I just want to disable something successfully so that I can continue...
Version of dependency-check used
9.1.0
Log file
gist: my maven build file for that module
gist: error on executing the maven build
To Reproduce
Steps to reproduce the behavior:
Expected behavior
I expect the depency-check-maven plugin to execute successfully and to not try and execute anything using Yarn when I've configured "yarnAuditAnalyzerEnabled" to false.
Additional context
N/A
The text was updated successfully, but these errors were encountered: