I even added this plugin first, in case there was some interaction/failure
My plugins.sbt:
addSbtPlugin("net.vonbuchholtz" % "sbt-dependency-check" % "3.3.0")
addSbtPlugin("com.typesafe.sbteclipse" % "sbteclipse-plugin" % "5.2.4")
addSbtPlugin("com.timushev.sbt" % "sbt-updates" % "0.3.4")
addSbtPlugin("org.ensime" % "sbt-ensime" % "2.5.1")
addSbtPlugin("com.orrsella" % "sbt-stats" % "1.0.9-SNAPSHOT")
addSbtPlugin("com.jsuereth" % "sbt-pgp" % "1.1.1")
// addDependencyTreePlugin
On Thu, Mar 24, 2022 at 12:39 PM Steve Lawrence <slawre...@apache.org>
wrote:
> I'm on 1.6.2. Can you confirm you added the plugin to
>
> ~/.sbt/1.0/plugins/plugins.sbt
>
> That error sounds like something you'd get if the plugin wasn't enabled.
>
> On 3/24/22 12:28 PM, Mike Beckerle wrote:
> > So I backed out the version of plugin to 3.3.0.
> >
> > I still get
> >
> > $ sbt
> > [info] welcome to sbt 1.6.2 (Oracle Corporation Java 17)
> > /home/mbeckerle/.sbt/1.0/plugins/build.sbt:1: error: not found: value
> > dependencyCheckAssemblyAnalyzerEnabled
> > dependencyCheckAssemblyAnalyzerEnabled := Some(false)
> > ^
> > [error] Type error in expression
> > [warn] Project loading failed: (r)etry, (q)uit, (l)ast, or (i)gnore?
> > (default: r)
> >
> >
> > What version of sbt are you using? I am on 1.6.2 as you see.
> >
> > On Thu, Mar 24, 2022 at 11:03 AM Steve Lawrence <slawre...@apache.org>
> > wrote:
> >
> >> Looks like the plugin version I'm using is 3.3.0, I'd guess they changed
> >> something about this option in the newer 4.0.0 version?
> >>
> >> On 3/24/22 11:00 AM, Mike Beckerle wrote:
> >>> Either way build.sbt or other, I just get
> >>>
> >>> dependencyCheckAssemblyAnalyzerEnabled := Some(false)
> >>> ^
> >>> [error] Type error in expression
> >>>
> >>> On Thu, Mar 24, 2022 at 10:58 AM Mike Beckerle <mbecke...@apache.org>
> >> wrote:
> >>>
> >>>> is "Somez" a typo?
> >>>>
> >>>> Does it matter that this is in build.sbt vs. global.sbt or any other
> of
> >>>> the .sbt files under plugins?
> >>>>
> >>>> On Thu, Mar 24, 2022 at 10:52 AM Steve Lawrence <slawre...@apache.org
> >
> >>>> wrote:
> >>>>
> >>>>> Agreed, this is part of my check list, but it would be good to
> document
> >>>>> it somewhere to ensure it always gets done.
> >>>>>
> >>>>> As to the error, I don't remember doing this, but also added this to
> >>>>> ~/.sbt/1.0/build.sbt to disable the .NET analyzer:
> >>>>>
> >>>>> dependencyCheckAssemblyAnalyzerEnabled := Somez(false)
> >>>>>
> >>>>>
> >>>>> On 3/24/22 10:45 AM, Mike Beckerle wrote:
> >>>>>> We should add this sbt dependency check instruction to the release
> >>>>> workflow
> >>>>>> - which actually needs a section with a checklist of things to
> >>>>> check/verify
> >>>>>> like this. Or maybe it's a separate page,
> >> release-testing/verification.
> >>>>>>
> >>>>>> However, I tried it (using version 4.0.0 of the plugin) on daffodil
> >> and
> >>>>> it
> >>>>>> failed per below. Do you have a configuration or environment
> settings
> >>>>> you
> >>>>>> use with this plugin? It has many many options, and presumably one
> of
> >>>>> them
> >>>>>> will turn off this problem.
> >>>>>>
> >>>>>> sbt:daffodil> dependencyCheckAggregate
> >>>>>> ... list of zillion jars here ....
> >>>>>> 10:37:55.213 [pool-263-thread-8] ERROR
> >>>>>> org.owasp.dependencycheck.analyzer.AssemblyAnalyzer -
> >>>>>> ----------------------------------------------------
> >>>>>> 10:37:55.213 [pool-263-thread-8] ERROR
> >>>>>> org.owasp.dependencycheck.analyzer.AssemblyAnalyzer - .NET Assembly
> >>>>>> Analyzer could not be initialized and at least one 'exe' or 'dll'
> was
> >>>>>> scanned. The 'dotnet' executable could not be found on the path;
> >> either
> >>>>>> disable the Assembly Analyzer or add the path to dotnet core in the
> >>>>>> configuration.
> >>>>>> 10:37:55.213 [pool-263-thread-8] ERROR
> >>>>>> org.owasp.dependencycheck.analyzer.AssemblyAnalyzer -
> >>>>>> ----------------------------------------------------
> >>>>>> [success] Total time: 2 s, completed Mar 24, 2022, 10:37:56 AM
> >>>>>> sbt:daffodil>
> >>>>>>
> >>>>>>
> >>>>>> CVE checking can perhaps be avoided via dependabot, but I like the
> >>>>> notion
> >>>>>> that a join between our dependencies and the CVE database gets done
> >>>>>> somehow, and sbt-dependency-check seems to do this.
> >>>>>>
> >>>>>>
> >>>>>> On Thu, Mar 24, 2022 at 10:02 AM Steve Lawrence <
> slawre...@apache.org
> >>>
> >>>>>> wrote:
> >>>>>>
> >>>>>>> I just used this for the dependency check, that has all the
> >>>>> instructions
> >>>>>>> that are needed:
> >>>>>>>
> >>>>>>> https://github.com/albuch/sbt-dependency-check
> >>>>>>>
> >>>>>>> They say to put that in project/plugins.sbt, but I recommend
> putting
> >> it
> >>>>>>> in ~/.sbt/1.0/plugins/plugins.sbt, then it's available for any
> >> project
> >>>>>>> you might use (e.g. both daffodil and vscode).
> >>>>>>>
> >>>>>>> Then just run "sbt dependencyCheckAggregate", and the resulting
> >> report
> >>>>>>> is put in target/scala-2.12/dependency-check-report.html.
> >>>>>>>
> >>>>>>> I'm not sure I would recommend adding CVE checking to CI because
> >>>>>>> downloading the CVE database takes a long time, especially the
> first
> >>>>>>> time. I might recommend instead just enabling dependabot, that's
> been
> >>>>>>> good about keeping Daffodil dependencies up to date.
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>
> >>>>>
> >>>
> >>
> >>
> >
>
>
