suppressionFile not found when using parent pom

[smuda]

After running into #517 I'm trying to add a suppressionFile to my maven configuration. It's a nested maven configuration that looks like this:

./pom.xml
./server/pom.xml

The configuration for the dependency-check-plugin is in server/pom.xml and looks like this:

<plugin>
   <groupId>org.owasp</groupId>
   <artifactId>dependency-check-maven</artifactId>
   <configuration>
     <failBuildOnCVSS>8</failBuildOnCVSS>
     <format>XML</format>
     <suppressionFile>dependency-check-suppression.xml</suppressionFile>
   </configuration>
   <executions>
     <execution>
       <goals>
         <goal>check</goal>
       </goals>
     </execution>
   </executions>
</plugin>

That works nicely when running the server.pom directory.

[INFO] --- dependency-check-maven:1.4.5:check (default) @ server ---
[INFO] Checking for updates
[INFO] Skipping NVD check since last check was within 4 hours.
[INFO] Check for updates complete (2373 ms)
[INFO] Analysis Started
[INFO] Finished Archive Analyzer (0 seconds)
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Jar Analyzer (2 seconds)
[INFO] Finished Central Analyzer (5 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (3 seconds)
[INFO] Finished CPE Analyzer (4 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished Cpe Suppression Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Analysis Complete (14 seconds)

When running the parent pom, which in turn calls the server pom, the following error is displayed:

[INFO] --- dependency-check-maven:1.4.5:check (default) @ server ---
[INFO] Checking for updates
[INFO] Skipping NVD check since last check was within 4 hours.
[INFO] Check for updates complete (1907 ms)
[INFO] Analysis Started
[INFO] Finished Archive Analyzer (1 seconds)
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Jar Analyzer (2 seconds)
[INFO] Finished Central Analyzer (3 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (3 seconds)
[INFO] Finished CPE Analyzer (4 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[WARNING] Suppression file 'dependency-check-suppression.xml' does not exists
[ERROR] Exception occurred initializing Cpe Suppression Analyzer.
[INFO] Finished NVD CVE Analyzer (0 seconds)
[WARNING] Suppression file 'dependency-check-suppression.xml' does not exists
[ERROR] Exception occurred initializing Vulnerability Suppression Analyzer.
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Analysis Complete (13 seconds)
[WARNING] 

I copied the dependency-check-suppression.xml to the parent directory and then it works. It seems to me that the plugin does not use the relative path to the pom where it's configured, but rather the directory of the first pom file.

Can anyone else confirm this? What am I doing wrong?

[aikebah]

That's because the maven build will not switch current-working-dir to your nested project while running the build from your top-level pom. Configuring the suppression-file using Maven's ${basedir} variable should work fine for your scenario and retain flexibility of (project-)relative paths:

<suppressionFile>${basedir}/dependency-check-suppression.xml</suppressionFile>

[jeremylong]

@smuda consider looking at how checkstyle "should" be configured for a multi-module build: https://maven.apache.org/plugins/maven-checkstyle-plugin/examples/multi-module-config.html

There they use a build-tools project to house the configuration. The same could be done with dependency-check.

[smuda]

@aikebah Thank you, that worked perfectly.

@jeremylong Thank you, that was a really good link and I'll make sure to use that in a later project where we have multiple java projects. In this case it seems a bit overkill.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.