Blackduck扫描显示文件已用旧版本的Jetty Http修改 [英] Blackduck scan showing FILE MODIFIED with older version of Jetty Http

问题描述

我们有一个模块要在maven中构建为可执行的jar文件，使用commad行并使用2.1.0版的spring-boot-maven-plugin.RELEASE通过将目标作为重新打包传递， 将classifire设为一个jar，并且还配置了mainClass.

We have one module which we are building in maven as executable jar file using commad line using spring-boot-maven-plugin with version 2.1.0.RELEASE by passing goal as repackage, classifire as one-jar and have configured mainClass also.

在我的pom.xml文件中，代码如下所示:

In my pom.xml file code is shown as below:

<plugin>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-maven-plugin</artifactId>
    <version>2.1.0.RELEASE</version>
    <executions>
        <execution>
            <goals>
                <goal>repackage</goal>
            </goals>
            <configuration>
                <classifier>spring-boot</classifier>
                <mainClass>
                  ------------
                </mainClass>
            </configuration>
        </execution>
    </executions>
</plugin>

---

<dependency>
  <groupId>org.eclipse.jetty</groupId>
  <artifactId>jetty-http</artifactId>
  <version>9.4.33.v20201020</version>
</dependency>
<dependency>
  <groupId>org.eclipse.jetty</groupId>
  <artifactId>jetty-security</artifactId>
  <version>9.4.33.v20201020</version>
</dependency>
---

，我们的模块包含与org.eclipse.jetty相关的依赖项，这些依赖项配置为9.4.33.v20201020版本.当我们为此模块jar文件配置Blackduck扫描时，该扫描正在选择一些较旧版本的jetty. 例如，对于jetty-http和jetty-security依赖关系，它选择的9.4.31.v20200723也显示为FILE MODIFIED和9.4.33.v20201020.

and our module contains org.eclipse.jetty related dependencies configured to 9.4.33.v20201020 version. When we configured Blackduck scan for this module jar file, the scan is picking the some of the older version of jetty. For example for jetty-http and jetty-security dependencies it is picking 9.4.31.v20200723 also showing as FILE MODIFIED along with 9.4.33.v20201020.

由于我已经对9.4.31.v20200723的整个Maven存储库进行了交叉验证，因此我没有发现此版本有任何跳船依赖.仍然Blackduck扫描显示较旧的码头版本为FILE MODIFIED.

As I have cross verified the entire maven repo for version 9.4.31.v20200723, I did not found any jetty depencies for this version. Still Blackduck scan showing the older jetty versions as FILE MODIFIED.

任何人都可以帮助我了解Blackduck中什么是文件修改匹配类型以及如何解决此问题.

Can anyone help me to understand what is FILE MODIFIED match type in Blackduck and how to solve this problem.

推荐答案

来自 https://testing.blackduck.synopsys.com/doc/internal_project_versions/understanding_project_version_bom_information.htm

已修改文件.扫描发现与Black Duck KB中某个组件的模糊匹配，在其中修改了一些存档文件.有时，这是与该组件的先前版本或后续版本的匹配项，在进行匹配时，Black Duck KB可能已缺少该组件.

Files Modified. Scanning identified a fuzzy match to a component in the Black Duck KB, where some of the archive files were modified. Sometimes this is a match to a previous or subsequent version of the component, which may have been missing from the Black Duck KB at the time that the match was made.

您的blackduck数据库似乎很旧，没有对这些较新的Jetty版本的引用.

Seems your blackduck database is old and has no references to these newer Jetty releases.

这篇关于Blackduck扫描显示文件已用旧版本的Jetty Http修改的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！