Skip to content

Document default value for Maven plugin parameter "dataDirectory" #7434

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
kwin opened this issue Feb 19, 2025 · 6 comments
Open

Document default value for Maven plugin parameter "dataDirectory" #7434

kwin opened this issue Feb 19, 2025 · 6 comments
Labels
enhancement

Comments

@kwin
Copy link
Contributor

kwin commented Feb 19, 2025

Currently the page at https://jeremylong.github.io/DependencyCheck/dependency-check-maven/check-mojo.html#dataDirectory does not expose which directory is used by default if no explicit value is configured. This would be beneficial to document in either the javadoc or via the default field of the @Parameter annotation (https://maven.apache.org/plugin-tools/maven-plugin-annotations/apidocs/org/apache/maven/plugins/annotations/Parameter.html#defaultValue--), which also ends up in the generated documentation.
@jeremylong
Copy link
Collaborator

jeremylong commented Feb 19, 2025
edited
Loading

If you are planning a caching strategy - you can just configure the directory and then you know what the value is. But yes, I understand we need to document the default value. Which is:

~/.m2/repository/org/owasp/dependency-check-data/11.0

@jeremylong
Copy link
Collaborator

The problem is the default value could change in the future. So it is better if you specify a value if you are going to implement caching... alternatively - cache /Users/jeremy/.m2/repository/org/owasp/dependency-check-data/ and capture all versions. This could end up doubling or tripling the size of the cache eventually if we end up incrementing the version # (which is not the version of ODC - but rather the version of the data folder)

@kwin
Copy link
Contributor Author

kwin commented Feb 19, 2025

If it is within the m2 repo, one doesn't need a dedicated caching strategy, e.g. the one for https://github.com/actions/setup-java#caching-packages-dependencies should suffice, isn't it?

@jeremylong
Copy link
Collaborator

It should be sufficient.

@TIBCOrkrajews
Copy link

TIBCOrkrajews commented Feb 19, 2025
edited
Loading

The way I deal with is just to use the dependency-check version in the data location. That is too conservative, obviously, but it always works.

Even better than documentation of the schema version, if there were a either a machine-readable resource or command that told you the schema version, that would be useful for not only a local data cache, but also for a scheme where a site could run multiple DB-server based mirrors for the different version, so that all the site's users of dependency-check did not have to the update in lockstep. For example, the DB server could have different database names appended with the schema version – the site manager would still have to arrange for the various database to be updated independently, and would need to make a decision about when to drop the databases that supported the older versions.

Yet another approach is for the client to specifically the parent directory for data, and then let dependency-check use a subdirectory of its own choosing for the schema dependent data (i.e., database).

@marcelstoer
Copy link
Collaborator

It is already documented, see https://jeremylong.github.io/DependencyCheck/dependency-check-maven/configuration.html#Advanced_Configuration → dataDirectory

(documented value doesn't include the version, though)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kwin @marcelstoer @jeremylong @TIBCOrkrajews