Failure summary is not shown
gervaisb opened this issue · comments
Hello,
We are using your plugin to analyze our dependencies and fail our CI in case of vulnerability. However, it seems that the failure summary is not shown; Sbt fails with a quite vague error message:
[error] Vulnerability with CVSS score higher 7.0 found. Failing build.
After digging into the sources, I have seen this line that should print the summary but the log message is never shown:
Do we have to provide a specific logger configuration somewhere ?
Thanks
This is an issue since SBT 1.x: sbt/sbt#3398
See #67 for reference as well.
Please follow the instructions in the readme on logging levels to enable logging of the core library: https://github.com/albuch/sbt-dependency-check#changing-log-level
Indeed. Thanks a lot for your work.
My 2cents,
Instead of using -Dlog4j2.level=debug
as suggested by the documentation, which leads to a lot of output, I could make it work by programmatically changing the Level configuration of the org.owasp.dependencycheck.agent.DependencyCheckScanAgent
logger specifically. For example:
initialize ~= { _ =>
val loggerName = classOf[DependencyCheckScanAgent].getName
val ctx = LogManager.getContext(false).asInstanceOf[LoggerContext]
val config = ctx.getConfiguration
config.addLogger(
loggerName,
LoggerConfig.createLogger(
/* additivity = */ true,
/* level = */ org.apache.logging.log4j.Level.WARN,
/* loggerName = */ loggerName,
/* includeLocation = */ "true",
/* refs = */ new Array[AppenderRef](0) ,
/* properties = */ new Array[Property](0),
/* config = */ config,
/* filter = */ null)
)
ctx.updateLoggers()
}
I hope it helps.