Skip artifacts matching a regex

[CWolff92]

Hi,

is it possible to skip dependency scanning for certain artifacts by providing a regex which is matched against their identifier? Using the Maven plugin I would like to do something like this:

<plugin>
  <groupId>org.owasp</groupId>
  <artifactId>dependency-check-maven</artifactId>
  <version>3.1.1</version>
  <configuration>
    <skipIdentifier>com\.mygroup\..+</skipIdentifier>
  </configuration>
  ...
</plugin>

Every artifact matched by the regex "com.mygroup..+" would be ignored.

[jeremylong]

At the moment this is not possible. One could create s suppression file that would have a similar affect:

    <suppress>
        <notes><![CDATA[
        Suppress findings for my companies artifacts
        ]]></notes>
        <gav regex="true">^com\.mygroup\..*$</gav>
        <cpe regex="true">.*</cpe>
    </suppress>

The above would suppress all CPE and related CVE for anything in "com.mygroup".

[CWolff92]

Thank you for your reply, unfortunately this won't work for my problem. I may be using the plugin in a wrong way though.

I have a multi module Maven project and want to use the aggregate goal. Whenever the projects version is incremented builds fail (example output after a mvn verify on the parent pom):

[WARNING] The following dependencies could not be resolved at this point of the build but seem to be part of the reactor:
[WARNING] o com.mygroup:artifact:jar:3.1.0-SNAPSHOT (compile)
[WARNING] Try running the build up to the lifecycle phase "package"
...
[ERROR]         Failure to find my.group:artifact:jar:3.1.0-SNAPSHOT in https://my.nexus-repository.com/repository/public/ was cached in the local repository, resolution will not be reattempted until the update interval of public has elapsed or updates are forced

Executing mvn package first won't help, only mvn install -Ddependency-check.skip followed by the verify step. While this works, it is not an ideal solution for a CI environment.

[jeremylong]

This is related (if not actually a duplicate of) #740. Take a look at this article on the maven install hack - have you run into the same issue as described?

I've been thinking about different solutions to this problem - but the issue may really be with the multi-module project.

[CWolff92]

Hey, sorry for the delay. Yes it looks like a duplicate. I'm gonna close this issue and continue the discussion there since the article unfortunately didn't help me. This issue only occurs when using the dependency-check plugin.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.