Describe the bug
There is a chance that I do not see the logic behind but what I see:
- the LAST_CHECKED date information of retirejs and hosted suppression is stored in the central database
- the actual
publishedSuppressions.xml or jsrepository.json is stored in the local file system (.m2)
this leads to inconsistent data. Where the database property can state that the file is up to date but locally the copy might be outdated or even none existing.
Also the fact that such an update performs a write operation to the database leads to below warning since the usual scan user (dcuser) does not have write permission to this shared database. But this depends on the setup.
[WARNING] Unable to save property 'retirejs.checked' with a value of '12345678' to the database
This was introduced in jeremylong/DependencyCheck#6260. I've put a comment on #6399 which is related but not the same.
Version of dependency-check used
The problem occurs using version 9.0.7 & 9.0.9ff
Expected behavior
Up to date information for local files must be stored locally.
Additional context
We use a central (PostgreSQL) database as mirror for the NVD data. A regular job executes org.owasp:dependency-check-maven:9.0.9:update-only using a privileged database user. The actual scans run independently on distributed systems where the less privileged dcuser is used to access the database.
Describe the bug
There is a chance that I do not see the logic behind but what I see:
publishedSuppressions.xmlorjsrepository.jsonis stored in the local file system (.m2)this leads to inconsistent data. Where the database property can state that the file is up to date but locally the copy might be outdated or even none existing.
Also the fact that such an update performs a write operation to the database leads to below warning since the usual scan user (dcuser) does not have write permission to this shared database. But this depends on the setup.
This was introduced in jeremylong/DependencyCheck#6260. I've put a comment on #6399 which is related but not the same.
Version of dependency-check used
The problem occurs using version 9.0.7 & 9.0.9ff
Expected behavior
Up to date information for local files must be stored locally.
Additional context
We use a central (PostgreSQL) database as mirror for the NVD data. A regular job executes
org.owasp:dependency-check-maven:9.0.9:update-onlyusing a privileged database user. The actual scans run independently on distributed systems where the less privilegeddcuseris used to access the database.