diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java index b18b0715a..227762ca9 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java @@ -106,18 +106,18 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal final ListIterator subIterator = engine.getDependencies().listIterator(mainIterator.nextIndex()); while (subIterator.hasNext()) { final Dependency nextDependency = subIterator.next(); - if (isShadedJar(dependency, nextDependency)) { - if (dependency.getFileName().toLowerCase().endsWith("pom.xml")) { - dependenciesToRemove.add(dependency); - } else { - dependenciesToRemove.add(nextDependency); - } - } else if (hashesMatch(dependency, nextDependency)) { + if (hashesMatch(dependency, nextDependency)) { if (isCore(dependency, nextDependency)) { mergeDependencies(dependency, nextDependency, dependenciesToRemove); } else { mergeDependencies(nextDependency, dependency, dependenciesToRemove); } + } else if (isShadedJar(dependency, nextDependency)) { + if (dependency.getFileName().toLowerCase().endsWith("pom.xml")) { + dependenciesToRemove.add(dependency); + } else { + dependenciesToRemove.add(nextDependency); + } } else if (cpeIdentifiersMatch(dependency, nextDependency) && hasSameBasePath(dependency, nextDependency) && fileNameMatch(dependency, nextDependency)) {