Describe the bug
When running an aggregate scan on a multimodule project, where multiple submodules depend on the same in-reactor module multiple virtual dependencies are registered in the report.
Strange enough the number of virtual dependencies is one less than the number of dependencies for which a virtual dependency gets created.
[WARNING] The following dependencies could not be resolved at this point of the build but seem to be part of the reactor:
[WARNING] o org.owasp.test.aggregate.issue-3944:lib:jar:1.0.0-SNAPSHOT (compile)
[WARNING] Try running the build up to the lifecycle phase "package"
[WARNING] The following dependencies could not be resolved at this point of the build but seem to be part of the reactor:
[WARNING] o org.owasp.test.aggregate.issue-3944:lib:jar:1.0.0-SNAPSHOT (compile)
[WARNING] Try running the build up to the lifecycle phase "package"
[WARNING] The following dependencies could not be resolved at this point of the build but seem to be part of the reactor:
[WARNING] o org.owasp.test.aggregate.issue-3944:lib:jar:1.0.0-SNAPSHOT (compile)
[WARNING] Try running the build up to the lifecycle phase "package"
[WARNING] The following dependencies could not be resolved at this point of the build but seem to be part of the reactor:
[WARNING] o org.owasp.test.aggregate.issue-3944:lib:jar:1.0.0-SNAPSHOT (compile)
[WARNING] Try running the build up to the lifecycle phase "package"
[INFO]
[INFO] --- dependency-check-maven:6.5.2:aggregate (default) @ parent ---
[INFO] Unable to resolve org.owasp.test.aggregate.issue-3944:lib:1.0.0-SNAPSHOT as it has not been built yet - creating a virtual dependency instead.
[INFO] Unable to resolve org.owasp.test.aggregate.issue-3944:lib:1.0.0-SNAPSHOT as it has not been built yet - creating a virtual dependency instead.
[INFO] Unable to resolve org.owasp.test.aggregate.issue-3944:lib:1.0.0-SNAPSHOT as it has not been built yet - creating a virtual dependency instead.
[INFO] Unable to resolve org.owasp.test.aggregate.issue-3944:lib:1.0.0-SNAPSHOT as it has not been built yet - creating a virtual dependency instead.
Resulted in a report with 3 (non-vulnerable) dependencies
| Dependency |
Vulnerability IDs |
Package |
Highest Severity |
CVE Count |
Confidence |
Evidence Count |
| org.owasp.test.aggregate.issue-3944:lib:1.0.0-SNAPSHOT |
|
pkg:maven/org.owasp.test.aggregate.issue-3944/[email protected] |
|
0 |
|
6 |
| org.owasp.test.aggregate.issue-3944:lib:1.0.0-SNAPSHOT |
|
pkg:maven/org.owasp.test.aggregate.issue-3944/[email protected] |
|
0 |
|
6 |
| org.owasp.test.aggregate.issue-3944:lib:1.0.0-SNAPSHOT |
|
pkg:maven/org.owasp.test.aggregate.issue-3944/[email protected] |
|
0 |
|
6 |
Version of dependency-check used
The problem occurs using version 6.5.1 and 6.5.2 of the maven plugin (and likely older as well)
To Reproduce
Will be provided in a new it-test
Expected behavior
A single or no, not quite sure what the expected behavior for the in-reactor dependencies is, virtual dependency listed in the aggregate report.
Describe the bug
When running an aggregate scan on a multimodule project, where multiple submodules depend on the same in-reactor module multiple virtual dependencies are registered in the report.
Strange enough the number of virtual dependencies is one less than the number of dependencies for which a virtual dependency gets created.
Resulted in a report with 3 (non-vulnerable) dependencies
Version of dependency-check used
The problem occurs using version 6.5.1 and 6.5.2 of the maven plugin (and likely older as well)
To Reproduce
Will be provided in a new it-test
Expected behavior
A single or no, not quite sure what the expected behavior for the in-reactor dependencies is, virtual dependency listed in the aggregate report.