Dependencycheck: Lucene Query Parse Error

Any chance you can tell me what dependency caused this? I'd be interested in seeing the manifest as there is likely a better solution then increasing the maxClauseCount... But I can also look into setting something up so that the maxClauseCount can be increased.

It is a fairly large project with 12 modules. Is there a property or arg I can pass to the shell script to get it to tell me which dependency? The reason I am using the command line option instead of the maven option is I am trying to get all the results on a single report rather than in each module. I've updated gist with the full output of the script. Thanks!

To get all of the reports consolidated using Maven you can use the aggregate goal in the parent pom (mvn org.owasp:dependency-check-maven:1.4.4.1:aggregate.

It would be great if the library causing the reported issue could be isolated. Looking at the error it appears to have something to do with portal-impl Newton portal ... Liferay Portal Enterprise Edition 6.2.10. So I'm guessing you have several Liferay related dependencies - I tried downloading liferay and scanning it but I did not see the error you've reported. However, central does not appear to have a 6.2.10 version - 6.2.5 is the highest version.

In your environment, using the CLI could you generate the log file (add -l dc.log. The log file should help us figure out which dependency is causing the issue.

Attached is the log file and the dependency causing the error is the portal-impl.jar. I tried to attach the manifest, but github will not let me upload it. It does contain all the text seen in the error (all of the LPE-xxxx entries).
dc.log.zip

Thanks for all the help!

Can you email me the manifest file? jeremy.long @ owasp.org

@brileyd any chance you could send me the manifest? Or could you tell me what the manifest key is for these values? Is it a single entry with a ton of entries or are there a ton of manifest entries that generate the 1000+ search clauses?

No response from @brileyd in a month and I cannot find a copy of the dependency or manifest that causes the problem. As such, I'm closing the issue. If someone can provide an example that causes this issue please re-open the issue and provide the example.

http://central.maven.org/maven2/au/com/dius/pact-jvm-consumer-junit_2.12/3.5.10/pact-jvm-consumer-junit_2.12-3.5.10.pom (and other versions) has such a large manifest. Apparently, the whole README has been added as description in the pom.

Here's build output: https://gist.github.com/welcor/bf083c0c509a42abfb9a104a31902e40

The dependency check apparently continues on other files, so it's mostly a question of not getting three pages of stacktrace and warnings :)

Any timeframe on releasing this? We are also having the issue w/ Pact dependency.

Yes, this will be released soon. As I started looking at the lucene usage I noticed some bugs that needed to be fixed. When I merge #1048 I will be pushing a release.

Thank you for your hard work. It works now :)

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.