Summary
The below analyzers (and others) have become accidentally disabled by default in 12.1.7.
Ruby Bundle Audit Analyzer
Nuspec Analyzer
Node.js Package Analyzer
Node Audit Analyzer
Yarn Audit Analyzer
The other experimental or opt-in file-based ones at https://dependency-check.github.io/DependencyCheck/analyzers/index.html will also be disabled by default if they rely on 'src/main/resources', 'src/main/webapp', './package.json', './package-lock.json', './npm-shrinkwrap.json', './yarn.lock', './pnpm.lock', 'pnpm-lock.yaml', './Gopkg.lock', './go.mod'
Detail
With config like the below:
dependencyCheck {
failBuildOnCVSS = 1
failBuildOnUnusedSuppressionRule = true
suppressionFile = rootProject.file('build-platform/dependency-check-suppress.xml').toPath().toString()
skipTestGroups = true
nvd.apiKey = System.getenv("NVD_API_KEY") ?: ""
analyzers.ossIndex.username = System.getenv("OSS_INDEX_USERNAME") ?: ""
analyzers.ossIndex.password = System.getenv("OSS_INDEX_API_KEY") ?: ""
analyzers.assemblyEnabled = false // Avoid dotnet false positives
}On 12.1.7 it ran only these analyzers:
Analysis Started
Finished Archive Analyzer (1 seconds)
Finished File Name Analyzer (0 seconds)
Finished Jar Analyzer (0 seconds)
Finished Dependency Merging Analyzer (0 seconds)
Finished Hint Analyzer (0 seconds)
Finished Version Filter Analyzer (0 seconds)
Created CPE Index (0 seconds)
Finished CPE Analyzer (2 seconds)
Finished False Positive Analyzer (0 seconds)
Finished NVD CVE Analyzer (0 seconds)
Finished RetireJS Analyzer (0 seconds)
Finished Sonatype OSS Index Analyzer (2 seconds)
Finished Vulnerability Suppression Analyzer (0 seconds)
Finished Known Exploited Vulnerability Analyzer (0 seconds)
Finished Dependency Bundling Analyzer (0 seconds)
This is what it runs with 12.1.6; i.e the analyzers in bold have become disabled by default
Analysis Started
Finished Archive Analyzer (1 seconds)
Finished Ruby Bundle Audit Analyzer (0 seconds)
Finished File Name Analyzer (0 seconds)
Finished Jar Analyzer (0 seconds)
Finished Central Analyzer (0 seconds) (this was intentionally disabled by default in 12.1.7)
Finished Nuspec Analyzer (0 seconds)
Finished Node.js Package Analyzer (0 seconds)
Finished Dependency Merging Analyzer (1 seconds)
Finished Hint Analyzer (0 seconds)
Finished Version Filter Analyzer (0 seconds)
Created CPE Index (0 seconds)
Finished CPE Analyzer (1 seconds)
Finished False Positive Analyzer (0 seconds)
Finished NVD CVE Analyzer (0 seconds)
Finished Node Audit Analyzer (0 seconds)
Finished Yarn Audit Analyzer (3 seconds)
Finished RetireJS Analyzer (10 seconds)
Finished Sonatype OSS Index Analyzer (3 seconds)
Finished Vulnerability Suppression Analyzer (0 seconds)
Finished Known Exploited Vulnerability Analyzer (0 seconds)
Finished Dependency Bundling Analyzer (0 seconds)
Many of them also don't seem to let me enable them (e.g analyzers.nodeAudit.enabled = true and analyzers.bundleAuditEnabled = true are not having any effect, so something seems quite wrong?
(Side note: After reviewing the docs, I note a number of the analyzers at https://dependency-check.github.io/DependencyCheck/dependency-check-gradle/configuration.html which say you need experimentalEnabled did not actually need this earlier. Not sure if the docs were/are wrong, or whether they were enabled earlier by accident, e.g bundleAuditEnabled)
EDIT:
Workaround
A workaround for people using the dependencyCheckAnalyze task on a simple project is probably to set
dependencyCheck {
scanSet = [
'src/main/resources', 'src/main/webapp', './package.json', './package-lock.json', './npm-shrinkwrap.json',
'./yarn.lock', './pnpm.lock', 'pnpm-lock.yaml', './Gopkg.lock', './go.mod'
].collect { new File(it) }
}It may log a lot of warnings if you use --warn.
... but I don't think there is a way to make it work with dependencyCheckAggregate or multi-project setups. There might be a way to do so by processing tasks directly project-by-project if using dependencyCheckAnalyze.
Summary
The below analyzers (and others) have become accidentally disabled by default in
12.1.7.The other experimental or opt-in file-based ones at https://dependency-check.github.io/DependencyCheck/analyzers/index.html will also be disabled by default if they rely on
'src/main/resources', 'src/main/webapp', './package.json', './package-lock.json', './npm-shrinkwrap.json', './yarn.lock', './pnpm.lock', 'pnpm-lock.yaml', './Gopkg.lock', './go.mod'Detail
With config like the below:
dependencyCheck { failBuildOnCVSS = 1 failBuildOnUnusedSuppressionRule = true suppressionFile = rootProject.file('build-platform/dependency-check-suppress.xml').toPath().toString() skipTestGroups = true nvd.apiKey = System.getenv("NVD_API_KEY") ?: "" analyzers.ossIndex.username = System.getenv("OSS_INDEX_USERNAME") ?: "" analyzers.ossIndex.password = System.getenv("OSS_INDEX_API_KEY") ?: "" analyzers.assemblyEnabled = false // Avoid dotnet false positives }On
12.1.7it ran only these analyzers:This is what it runs with
12.1.6; i.e the analyzers in bold have become disabled by defaultMany of them also don't seem to let me enable them (e.g
analyzers.nodeAudit.enabled = trueandanalyzers.bundleAuditEnabled = trueare not having any effect, so something seems quite wrong?(Side note: After reviewing the docs, I note a number of the analyzers at https://dependency-check.github.io/DependencyCheck/dependency-check-gradle/configuration.html which say you need
experimentalEnableddid not actually need this earlier. Not sure if the docs were/are wrong, or whether they were enabled earlier by accident, e.gbundleAuditEnabled)EDIT:
Workaround
A workaround for people using the
dependencyCheckAnalyzetask on a simple project is probably to setdependencyCheck { scanSet = [ 'src/main/resources', 'src/main/webapp', './package.json', './package-lock.json', './npm-shrinkwrap.json', './yarn.lock', './pnpm.lock', 'pnpm-lock.yaml', './Gopkg.lock', './go.mod' ].collect { new File(it) } }It may log a lot of warnings if you use
--warn.... but I don't think there is a way to make it work with
dependencyCheckAggregateor multi-project setups. There might be a way to do so by processing tasks directly project-by-project if usingdependencyCheckAnalyze.