You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
There is a chance that I do not see the logic behind but what I see:
the LAST_CHECKED date information of retirejs and hosted suppression is stored in the central database
the actual publishedSuppressions.xml or jsrepository.json is stored in the local file system (.m2)
this leads to inconsistent data. Where the database property can state that the file is up to date but locally the copy might be outdated or even none existing.
Also the fact that such an update performs a write operation to the database leads to below warning since the usual scan user (dcuser) does not have write permission to this shared database. But this depends on the setup.
[WARNING] Unable to save property 'retirejs.checked' with a value of '12345678' to the database
This was introduced in #6260. I've put a comment on #6399 which is related but not the same.
Version of dependency-check used
The problem occurs using version 9.0.7 & 9.0.9ff
Expected behavior
Up to date information for local files must be stored locally.
Additional context
We use a central (PostgreSQL) database as mirror for the NVD data. A regular job executes org.owasp:dependency-check-maven:9.0.9:update-only using a privileged database user. The actual scans run independently on distributed systems where the less privileged dcuser is used to access the database.
The text was updated successfully, but these errors were encountered:
This makes no sense for us either. We run scans in various containers and sync the NIST data to a PostgreSQL database. Storing the timestamp centrally while keeping the data local seems like it just went a little fast with that feature.
Describe the bug
There is a chance that I do not see the logic behind but what I see:
publishedSuppressions.xml
orjsrepository.json
is stored in the local file system (.m2)this leads to inconsistent data. Where the database property can state that the file is up to date but locally the copy might be outdated or even none existing.
Also the fact that such an update performs a write operation to the database leads to below warning since the usual scan user (dcuser) does not have write permission to this shared database. But this depends on the setup.
This was introduced in #6260. I've put a comment on #6399 which is related but not the same.
Version of dependency-check used
The problem occurs using version 9.0.7 & 9.0.9ff
Expected behavior
Up to date information for local files must be stored locally.
Additional context
We use a central (PostgreSQL) database as mirror for the NVD data. A regular job executes
org.owasp:dependency-check-maven:9.0.9:update-only
using a privileged database user. The actual scans run independently on distributed systems where the less privilegeddcuser
is used to access the database.The text was updated successfully, but these errors were encountered: