is "Somez" a typo? Does it matter that this is in build.sbt vs. global.sbt or any other of the .sbt files under plugins?
On Thu, Mar 24, 2022 at 10:52 AM Steve Lawrence <[email protected]> wrote: > Agreed, this is part of my check list, but it would be good to document > it somewhere to ensure it always gets done. > > As to the error, I don't remember doing this, but also added this to > ~/.sbt/1.0/build.sbt to disable the .NET analyzer: > > dependencyCheckAssemblyAnalyzerEnabled := Somez(false) > > > On 3/24/22 10:45 AM, Mike Beckerle wrote: > > We should add this sbt dependency check instruction to the release > workflow > > - which actually needs a section with a checklist of things to > check/verify > > like this. Or maybe it's a separate page, release-testing/verification. > > > > However, I tried it (using version 4.0.0 of the plugin) on daffodil and > it > > failed per below. Do you have a configuration or environment settings you > > use with this plugin? It has many many options, and presumably one of > them > > will turn off this problem. > > > > sbt:daffodil> dependencyCheckAggregate > > ... list of zillion jars here .... > > 10:37:55.213 [pool-263-thread-8] ERROR > > org.owasp.dependencycheck.analyzer.AssemblyAnalyzer - > > ---------------------------------------------------- > > 10:37:55.213 [pool-263-thread-8] ERROR > > org.owasp.dependencycheck.analyzer.AssemblyAnalyzer - .NET Assembly > > Analyzer could not be initialized and at least one 'exe' or 'dll' was > > scanned. The 'dotnet' executable could not be found on the path; either > > disable the Assembly Analyzer or add the path to dotnet core in the > > configuration. > > 10:37:55.213 [pool-263-thread-8] ERROR > > org.owasp.dependencycheck.analyzer.AssemblyAnalyzer - > > ---------------------------------------------------- > > [success] Total time: 2 s, completed Mar 24, 2022, 10:37:56 AM > > sbt:daffodil> > > > > > > CVE checking can perhaps be avoided via dependabot, but I like the notion > > that a join between our dependencies and the CVE database gets done > > somehow, and sbt-dependency-check seems to do this. > > > > > > On Thu, Mar 24, 2022 at 10:02 AM Steve Lawrence <[email protected]> > > wrote: > > > >> I just used this for the dependency check, that has all the instructions > >> that are needed: > >> > >> https://github.com/albuch/sbt-dependency-check > >> > >> They say to put that in project/plugins.sbt, but I recommend putting it > >> in ~/.sbt/1.0/plugins/plugins.sbt, then it's available for any project > >> you might use (e.g. both daffodil and vscode). > >> > >> Then just run "sbt dependencyCheckAggregate", and the resulting report > >> is put in target/scala-2.12/dependency-check-report.html. > >> > >> I'm not sure I would recommend adding CVE checking to CI because > >> downloading the CVE database takes a long time, especially the first > >> time. I might recommend instead just enabling dependabot, that's been > >> good about keeping Daffodil dependencies up to date. > >> > >> > >> > > > >
