You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am trying creating bom.json for many Jenkins plugins, but I found the generated bom.json includes jenkins-core dependency with the minimal version declared in the plugin's pom.xml, here is a sample for artifactory plugin https://github.com/jenkinsci/artifactory-plugin.
My Jenkins version(2.479.2) is much higher than the minimal version(2.263.1). After the bom.json is uploaded into DT, its risk score is very high because of this very old 2.263.1 dependency, which is a false alarm, because my Jenkins has upgraded to 2.479.2. Any way to exclude this dependency, I tried -DexcludeArtifactId, but the Jenkins-core artifactid didn't exist in the pom.xml.
I am trying creating bom.json for many Jenkins plugins, but I found the generated bom.json includes jenkins-core dependency with the minimal version declared in the plugin's pom.xml, here is a sample for artifactory plugin https://github.com/jenkinsci/artifactory-plugin.
My Jenkins version(2.479.2) is much higher than the minimal version(2.263.1). After the bom.json is uploaded into DT, its risk score is very high because of this very old 2.263.1 dependency, which is a false alarm, because my Jenkins has upgraded to 2.479.2. Any way to exclude this dependency, I tried -DexcludeArtifactId, but the Jenkins-core artifactid didn't exist in the pom.xml.
Here is the version defined in pom.xml.
...
<jenkins.version>2.263.1</jenkins.version>
<java.level>8</java.level>
...
Here is the dependency generated in bom.json
......
"type" : "library",
"bom-ref" : "pkg:maven/org.jenkins-ci.main/jenkins-core@2.263.1?type=jar",
"group" : "org.jenkins-ci.main",
"name" : "jenkins-core",
"version" : "2.263.1",
"description" : "Jenkins core code and view files to render HTML.",
......
I manually add this plugin into the artifactory plugin's pom.xml.
......
......
Did I do anything wrong?
Thanks. Any comments are welcome.
The text was updated successfully, but these errors were encountered: