-
-
Notifications
You must be signed in to change notification settings - Fork 92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Different analysis result depending on if artifact is in Maven local repo or not #421
Comments
jeremylong
added a commit
that referenced
this issue
Nov 14, 2024
Gradle by default does not download the pom.xml from Central - without this false negatives may be generated. resolves #421
See #422 Until the next release, you can resolve the problem by enabling the Central Analyzer:
|
Thank you for noticing this discrepency. |
Thanks for the quick reply and the workaround! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description of problem
Running the
:dependencyCheckAnalyze
gradle task gives different results for the artifactorg.codehaus.woodstox:woodstox-core-asl:4.4.1
depending on if it is in the local Maven repo or not.Expected behavior
The analysis result should be the same regardless of where the artifact is located.
Steps to reproduce
Using this Gradle project:
Follow these steps:
./gradlew dependencyCheckAggregate --info
mvn org.apache.maven.plugins:maven-dependency-plugin:get -Dartifact='org.codehaus.woodstox:woodstox-core-asl:4.4.1'
to download the artifact to the local Maven repo../gradlew dependencyCheckAggregate --info
Environment
The text was updated successfully, but these errors were encountered: