Hello,

We are using your plugin to analyze our dependencies and fail our CI in case of vulnerability. However, it seems that the failure summary is not shown; Sbt fails with a quite vague error message:

[error] Vulnerability with CVSS score higher 7.0 found. Failing build.

After digging into the sources, I have seen this line that should print the summary but the log message is never shown:

Do we have to provide a specific logger configuration somewhere ?

Thanks

This is an issue since SBT 1.x: sbt/sbt#3398
See #67 for reference as well.
Please follow the instructions in the readme on logging levels to enable logging of the core library: https://github.com/albuch/sbt-dependency-check#changing-log-level

Indeed. Thanks a lot for your work.

My 2cents,

Instead of using -Dlog4j2.level=debug as suggested by the documentation, which leads to a lot of output, I could make it work by programmatically changing the Level configuration of the org.owasp.dependencycheck.agent.DependencyCheckScanAgent logger specifically. For example:

initialize ~= { _ =>
  val loggerName = classOf[DependencyCheckScanAgent].getName
  val ctx = LogManager.getContext(false).asInstanceOf[LoggerContext]
  val config = ctx.getConfiguration
  config.addLogger(
    loggerName,
    LoggerConfig.createLogger(
      /* additivity = */ true,
      /* level = */ org.apache.logging.log4j.Level.WARN,
      /* loggerName = */ loggerName,
      /* includeLocation = */ "true",
      /* refs = */ new Array[AppenderRef](0) ,
      /* properties = */ new Array[Property](0),
      /* config = */ config,
      /* filter = */ null)
  )
  ctx.updateLoggers()
}

I hope it helps.