Update dependency-check-core to v7.0.0
albuch opened this issue · comments
@albuch are you going to release new version compatible to 7.0.0?
Hi @okgolove,
I wanted to wait for 7.0.1 to be available as there are many false-positives introduced in 7.0.0 by adding developer information to the matching algorithm.
Anything specific that you need from the 7.0.0 release?
@albuch may be I understand this plugin's role wrong but it seems it does not work if I use dependency-check 7.0.0 with prebuilt CVE database (https://github.com/dependency-check/DependencyCheck_Builder) with sbt plugin 3.4.1. Am I wrong and it does not depend on each other?
As this plugin is independently developed and not part of the release pipeline of DependencyCheck it might take some while for updates of the core library to get published here. We might even consider to postpone a release due to quality issues of the core library.
As on your usage of DependencyCheck_Builder:
sbt-dependency-check nor any other build system integration of DependencyCheck is intended to be used with a database that is created by a different major version (in this case by the dependency check CLI). The project description of DependencyCheck_Builder states that its intention is to only be used with the matching Github Action which is https://github.com/dependency-check/Dependency-Check_Action
Those two projects might give guarantess that they will always be in sync with each other and therefore don't need a version number, but other projects like ours might not.
You can easily create your own Image with a prepopulated database that supports versioning of DependencyCheck and use that in your Github action or use a mirror like https://github.com/stevespringett/nist-data-mirror
Another option is to cache the database file in your pipeline which speeds up the download process as well.