Jeremy Long

Many technology stacks will likely have a blank license as identification of the license is a best effort. In most cases this may only be populated on Java libraries.

Have you considered not scanning the dist directory?

Any suggestion on where this should be documented?

resolved with comment https://github.com/dependency-check/dependency-check-gradle/issues/22#issuecomment-575568801. Leaving #22 open for now as documentation - until I get a chance to update the official documentation.

Anyone have an example project that fails? From the above question - I have no clue what is going on. If we have a concrete example I can help.

The solution to the problem is the above comment: https://github.com/dependency-check/dependency-check-gradle/issues/22#issuecomment-575568801

Webjars containt JavaScript. In this case it looks like dom purify might be included in the JAR and was detected by the retirejS analyzer.

It is marked as experimental as no one has spent time figuring out how to reduce FP and FN. We will likely incorporate the GHSA data in Q4 2023 at...

@aikebah see https://github.com/jeremylong/nvd-lib - I still need to add better error handling, etc. but the client for the NVD should be mostly stable.

I've been debating adding a "cache" mechanism to the library - so you could specify a directory and it would write the JSON to the directory with a properties file....