0

I am trying to get the Maven plugin working to get the dependency-check report. My end goal is to come up with a security-report of the security vulnerabilities on my project.

The Maven snippet which I am using is -

<build>
        <pluginManagement>
            <plugins>
             ..
             ..
              <plugin>
                <groupId>org.owasp</groupId>
                <artifactId>dependency-check-maven</artifactId>
                <version>1.4.0</version>
                <configuration>
                    <dataDirectory>/somepath/data</dataDirectory>
                </configuration>
                <executions>
                  <execution>
                    <goals>
                      <goal>aggregate</goal>
                    </goals>
                  </execution>
                </executions>
              </plugin>
            </plugins>
        </pluginManagement>
    </build>

For my build I am using '

mvn -B -U clean install site:site

However, I don't see the dependency-checks being triggered.

I also tried

mvn -B -U org.owasp:dependency-check-maven:1.4.0:check -Dformat=XML

No luck either. I get an error -

[ERROR] BUILD ERROR [INFO] ------------------------------------------------------------------------ [INFO] Internal error in the plugin manager executing goal 'org.owasp:dependency-check-maven:1.4.0:check': Unable to find the mojo 'check' (or one of its required components) in the plugin 'org.owasp:dependency-check-maven' Can not set org.sonatype.plexus.components.cipher.PlexusCipher field org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher._cipher to org.sonatype.plexus.components.cipher.DefaultPlexusCipher

Where am I going wrong? Thanks and apologies if the question is way too basic!

mmukhe
  • 668
  • 9
  • 22
  • 1
    In the first try you are configuring the plugin into the `pluginManagement` section, which means it will not be added to the default maven build, you should move it to `build`/`plugins` instead for such a purpose. [This Stack Overflow q/a](http://stackoverflow.com/q/10483180/5606016) should help you understand the difference. It should however work when executed from command line and I'm trying to understand why it doesn't: check mojo exists. – A_Di-Matteo Jun 23 '16 at 07:36
  • Using your code and your command line execution, worked fine for me. Not able to reproduce your issue. – A_Di-Matteo Jun 23 '16 at 07:42

1 Answers1

0

Thanks 'A_Di-Matteo' for your help.

Furthermore, I noticed I was using Maven 2 for this build (don't ask me why was it even an option). When I used Maven 3, this problem disappeared.

mmukhe
  • 668
  • 9
  • 22