Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scanning of maven pom.xml vs package.json #467

Open
PuttePilz opened this issue Feb 7, 2024 · 2 comments
Open

Scanning of maven pom.xml vs package.json #467

PuttePilz opened this issue Feb 7, 2024 · 2 comments
Labels
bug Something isn't working

Comments

@PuttePilz
Copy link

Describe the bug
Plugin cannot scan maven projects when one intellij module has multiple maven projects.

intellijproject
--module1
---- maven1
-----pom.xml
-----maven2
------pom.xml

To Reproduce

  1. create new empty intellij project
  2. create a new module and choose a folder which has multiple maven projects checkedout.
  3. jfrog xray-scan

Expected behavior

  • It should scan all pom.xml but the plugin tries to find pom.xml at the first lievel directly under module folder.
  • Although it succedd in scanning package.json projects.

Versions

  • JFrog IDEA plugin version: 2.6.7
  • Operating system: Windows
  • Xray version: 7.71.11

Additional context
We want both package.json and the maven poms to show in the scan, We have tested making a module of one mavenprojects in intellJ and that seems to work, but its not how we work, we usually have many projects checked out at one time and want to perform a X-ray-scan of all of them at one time, and get a complete result.
@PuttePilz PuttePilz added the bug Something isn't working label Feb 7, 2024
@PuttePilz PuttePilz changed the title Scanning of Javaprojects vs angualrprojekts Scanning of maven pom.xml vs package.json Feb 7, 2024
@mcatalon
Copy link

Hello!
Any news about this bug? We have in my team quite a similar bug.
My Spring project source code is seperated into two repositories (for reasons):

  • the first one (FWK) containing database model + API + Angular client
  • and the second one (ALG) containing algorithms called using java reflection.

With an IDE containing only FWK source code, all is OK, we have CVE from both Java (pom.xml) and Angular (package.json). With an IDE containing both FWK and ALG, only CVE on the client are available.

@PuttePilz
Copy link
Author

Hi, interesting to hear others have similar problems scanning maven projects. I have had a ticket in jfrog support for over a year now and the decided to create a internal Jira:
"For your reference, the Jira ticket for this request is XRAY-95208.
Since this JIRA ticket is internal, you won't be able to track it in real time. "

  • The workaround for us is to clone the code temporary and create an new temporary project i IntelliJ in another window and scan only that project, since IntelliJ is not able to scan multiple maven projects opened. Angular scanner works better and drills down to every project in the IDE and scans it. If we are lucky they will fix it, I recommend creating a ticket at Jfrog so they prioritze the issue higher.
    -Regards Pilz

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@PuttePilz @mcatalon