Blackduck scan showing FILE MODIFIED with older version of Jetty Http

问题

We have one module which we are building in maven as executable jar file using commad line using spring-boot-maven-plugin with version 2.1.0.RELEASE by passing goal as repackage, classifire as one-jar and have configured mainClass also.

In my pom.xml file code is shown as below:

<plugin>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-maven-plugin</artifactId>
    <version>2.1.0.RELEASE</version>
    <executions>
        <execution>
            <goals>
                <goal>repackage</goal>
            </goals>
            <configuration>
                <classifier>spring-boot</classifier>
                <mainClass>
                  ------------
                </mainClass>
            </configuration>
        </execution>
    </executions>
</plugin>

---

<dependency>
  <groupId>org.eclipse.jetty</groupId>
  <artifactId>jetty-http</artifactId>
  <version>9.4.33.v20201020</version>
</dependency>
<dependency>
  <groupId>org.eclipse.jetty</groupId>
  <artifactId>jetty-security</artifactId>
  <version>9.4.33.v20201020</version>
</dependency>
---

and our module contains org.eclipse.jetty related dependencies configured to 9.4.33.v20201020 version. When we configured Blackduck scan for this module jar file, the scan is picking the some of the older version of jetty. For example for jetty-http and jetty-security dependencies it is picking 9.4.31.v20200723 also showing as FILE MODIFIED along with 9.4.33.v20201020.

As I have cross verified the entire maven repo for version 9.4.31.v20200723, I did not found any jetty depencies for this version. Still Blackduck scan showing the older jetty versions as FILE MODIFIED.

Can anyone help me to understand what is FILE MODIFIED match type in Blackduck and how to solve this problem.

回答1:

From https://testing.blackduck.synopsys.com/doc/internal_project_versions/understanding_project_version_bom_information.htm

Files Modified. Scanning identified a fuzzy match to a component in the Black Duck KB, where some of the archive files were modified. Sometimes this is a match to a previous or subsequent version of the component, which may have been missing from the Black Duck KB at the time that the match was made.

Seems your blackduck database is old and has no references to these newer Jetty releases.

来源：https://stackoverflow.com/questions/64802038/blackduck-scan-showing-file-modified-with-older-version-of-jetty-http