Dependencycheck: Shell can consume wildcards in scan directories, resulting in hard-to-debug results

I believe the documentation states that this uses Ant style paths. So if you wanted to scan all JAR files in a directory tree you should use:

bin/dependency-check.sh --project test --scan ~/path/**/*.jar

Or am I not understanding this issue?

I didn't even want recursive scanning in a directory tree, just scanning all the JAR files within a single directory (no recursion).

Here's a minimal example:

dependency-check ➤ ls path
a.jar  b.jar

dependency-check ➤ bin/dependency-check.sh --project test --format CSV --scan path/*.jar
...
dependency-check ➤ wc -l dependency-check-report.csv
2 dependency-check-report.csv
dependency-check ➤ grep -c b.jar dependency-check-report.csv
0

dependency-check ➤ bin/dependency-check.sh --project test --format CSV --scan 'path/*.jar'
...
dependency-check ➤ wc -l dependency-check-report.csv
9 dependency-check-report.csv
dependency-check ➤ grep -c b.jar dependency-check-report.csv
7

As you can see, the only difference is whether or not I put apostrophes around the parameter of the --scan argument. In the first case (without apostrophes), the shell resolves these and the shell script (and thus, your Java code) receives a list of files already expanded by the shell. (Use the scroll bar, as the important part, the argument of --scan might not fit into the horizontal space below.)

dependency-check ➤ strace -e execve bin/dependency-check.sh --project test --format CSV --scan path/*.jar
execve("bin/dependency-check.sh", ["bin/dependency-check.sh", "--project", "test", "--format", "CSV", "--scan", "path/a.jar", "path/b.jar"], 0x7ffeb53b6588 /* 79 vars */) = 0

However if I put apostrophes around them, they pass through the shell unchanged as a single parameter with wildcards. (Again, use the scroll bar, as the important part, the argument of --scan might not fit into the horizontal space below.)

dependency-check ➤ strace -e execve bin/dependency-check.sh --project test --format CSV --scan 'path/*.jar'
execve("bin/dependency-check.sh", ["bin/dependency-check.sh", "--project", "test", "--format", "CSV", "--scan", "path/*.jar"], 0x7ffc5ca966a0 /* 79 vars */) = 0

The root cause of the problem is that if there are more than 1 filenames after --scan (such as in the first case, when the shell expands the wildcard), DependencyCheck uses the first one (in this case, path/a.jar) and silently discards all the others (in this case, path/b.jar). One solution would be accepting all of them, another would be warning the users that there are command line arguments that the program won't recognize/use. The current situation of silently skipping these is unfortunate.

Hello jeremylong.
Is it possible to get the vulnerabilities report without "--scan " command ? I have the .net config file for the application which has all 3rd party components dll included. My requirement is to compare that config file with cve vulnerability list and generate a report. Is that possible? Also if I want to pass a parameter value or a condition with "cve count > 8 or 10" to command line so that High and Critical Vulnerabilities should be listed out in the report is that also possible? Or any other ways available to customize the code?