Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

version in projectInfo are version of ODC #1109

Closed
stboissdev opened this issue Feb 19, 2018 · 3 comments
Closed

version in projectInfo are version of ODC #1109

stboissdev opened this issue Feb 19, 2018 · 3 comments
Labels
bug

Comments

@stboissdev
Copy link

in report (XML or JSON), in projectInfo, the version is not the version of project but version of ODC.
@v6ak
Copy link

v6ak commented Feb 23, 2018
edited
Loading

Few thoughts on this:

  • ODC does not always know the version of analyzed project. It can know it in case of Maven/Gradle/SBT plugin, but not in case of standalone scans. Maybe it can contain the version only in the specific cases.
  • ODC version should be IMHO present in the output. Maybe it should have some other name, but it is useful to be able to detect misconfiguration (e.g., you have forgotten to update version number of SBT plugin, which has a completely separate versioning scheme).
  • Changing the name of some existing element is troublesome, as it is a BC break. One might add another element with a better name and the very same content, but it might get even more confusing. And unfortunately, XML does not have any established way to mark some element as deprecated. You might add a comment (which can deconfuse it for human readers), but this is not machine-readable, so existing parsers will probably have no hint they parse it in an obsolete way.
  • Last but not least, if some parser should be able to parse multiple versions, the format version (which corresponds to the ODC version) is probably the last field you want to change. If we really should change it, there should be a long transition phase where both fields exist together.

@stevespringett
Copy link
Collaborator

  • Correct, the version will only be known in cases where the scan is using the Maven/Gradle/SBT plugin. Same is true for the project name, but in the case of project name, the CLI has a flag that specifies the name. An optional flag can be added to specify the project version as well.
  • The ODC version is already present in the output. Refer to <engineVersion>3.1.1</engineVersion>
  • This ticket is not to change the name of an XML element, but correct, what we believe to be a defect in the XML report generation. Since schema 1.5, the version element has been part of the projectInfo node. This element having the same value as engineVersion doesn't provide any value.
  • This ticket is to correct the behavior by introducing a project version option in the CLI as well as using the version from the GAV in the Maven/Gradle/SBT plugins and populating the projectInfo/version element with the project version instead of the version of Dependency-Check.

@jeremylong jeremylong added the bug label Feb 24, 2018
jeremylong added a commit that referenced this issue Feb 24, 2018
@jeremylong
patch for issue #1109
185e99e
@lock
Copy link

lock bot commented Sep 27, 2018

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked and limited conversation to collaborators Sep 27, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@v6ak @jeremylong @stevespringett @stboissdev