Describe the bug
When depending upon an artifact with a classifier and a SNAPSHOT version, this result in the following error:
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:6.5.0:check (default) on project ssce-dependency-check: One or more exceptions occurred during dependency-check analysis: One or more exceptions occurred during analysis:
[ERROR] DependencyNotFoundException: Expected dependency not found in resolved artifacts for dependency com.fake:fakeartifact:zip:native-linux:0.1-SNAPSHOT of project-artifact ssce-dependency-check
This error does not happen if the artifact is deployed in the LOCAL repository (because the file has the real version) but happens if the artifact comes from a remote repository (because the version is timestamped).
Version of dependency-check used
The problem was not there up to version 6.3.1.
Version 6.3.2 led to a NullpointerException
Versions 6.4.0 to 6.5.0 lead to the above error using the Maven plugin.
To Reproduce
If you install any file in local repo with SNAPSHOT version and then depend upon it, it works correctly
mvn install:install-file -Dfile=<anyFile.whatever> -DgroupId=com.fake -DartifactId=fakeartifact -Dversion=0.1-SNAPSHOT -Dpackaging=zip -Dclassifier=native-linux
But if you deploy the same file in a remote repo with SNAPSHOT version it does not work (you have to adapt the command to match your remote repo and launch the build using the mvn -U flag to force resolution)
mvn deploy:deploy-file -Dfile=<anyFile.whatever> -DgroupId=com.fake -DartifactId=fakeartifact -Dversion=0.1-SNAPSHOT -Dpackaging=zip -Dclassifier=native-linux -DrepositoryId=archiva.snapshots -Durl=https://archiva.olea-medical.local/repository/snapshots
Code update to solve the problem
In BaseDependencyCheckMojo class, the method private boolean sameArtifact should be updated to not use:
ArtifactResult::getArtifact().getVersion()
but instead:
ArtifactResult::getArtifact().getBaseVersion()
Because getVersion() returns the timestampped version (something like 0.1-20211109.152740-2 ) whereas getBaseVersion() returns the 'real' version (something like 0.1-SNAPSHOT).
Describe the bug
When depending upon an artifact with a classifier and a SNAPSHOT version, this result in the following error:
This error does not happen if the artifact is deployed in the LOCAL repository (because the file has the real version) but happens if the artifact comes from a remote repository (because the version is timestamped).
Version of dependency-check used
The problem was not there up to version 6.3.1.
Version 6.3.2 led to a NullpointerException
Versions 6.4.0 to 6.5.0 lead to the above error using the Maven plugin.
To Reproduce
If you install any file in local repo with SNAPSHOT version and then depend upon it, it works correctly
But if you deploy the same file in a remote repo with SNAPSHOT version it does not work (you have to adapt the command to match your remote repo and launch the build using the mvn -U flag to force resolution)
Code update to solve the problem
In
BaseDependencyCheckMojoclass, the methodprivate boolean sameArtifactshould be updated to not use:but instead:
Because getVersion() returns the timestampped version (something like 0.1-20211109.152740-2 ) whereas getBaseVersion() returns the 'real' version (something like 0.1-SNAPSHOT).