We should add this sbt dependency check instruction to the release workflow - which actually needs a section with a checklist of things to check/verify like this. Or maybe it's a separate page, release-testing/verification.
However, I tried it (using version 4.0.0 of the plugin) on daffodil and it failed per below. Do you have a configuration or environment settings you use with this plugin? It has many many options, and presumably one of them will turn off this problem. sbt:daffodil> dependencyCheckAggregate ... list of zillion jars here .... 10:37:55.213 [pool-263-thread-8] ERROR org.owasp.dependencycheck.analyzer.AssemblyAnalyzer - ---------------------------------------------------- 10:37:55.213 [pool-263-thread-8] ERROR org.owasp.dependencycheck.analyzer.AssemblyAnalyzer - .NET Assembly Analyzer could not be initialized and at least one 'exe' or 'dll' was scanned. The 'dotnet' executable could not be found on the path; either disable the Assembly Analyzer or add the path to dotnet core in the configuration. 10:37:55.213 [pool-263-thread-8] ERROR org.owasp.dependencycheck.analyzer.AssemblyAnalyzer - ---------------------------------------------------- [success] Total time: 2 s, completed Mar 24, 2022, 10:37:56 AM sbt:daffodil> CVE checking can perhaps be avoided via dependabot, but I like the notion that a join between our dependencies and the CVE database gets done somehow, and sbt-dependency-check seems to do this. On Thu, Mar 24, 2022 at 10:02 AM Steve Lawrence <slawre...@apache.org> wrote: > I just used this for the dependency check, that has all the instructions > that are needed: > > https://github.com/albuch/sbt-dependency-check > > They say to put that in project/plugins.sbt, but I recommend putting it > in ~/.sbt/1.0/plugins/plugins.sbt, then it's available for any project > you might use (e.g. both daffodil and vscode). > > Then just run "sbt dependencyCheckAggregate", and the resulting report > is put in target/scala-2.12/dependency-check-report.html. > > I'm not sure I would recommend adding CVE checking to CI because > downloading the CVE database takes a long time, especially the first > time. I might recommend instead just enabling dependabot, that's been > good about keeping Daffodil dependencies up to date. > > >
