Jeremy Long

ATM - I'm not sure if you can pass gradle configs for ODC via the CLI. You can configure the plugin using an init script. Several security tools use this...

You can always use an init script to configure the task. Example can be found here: https://github.com/jeremylong/DependencyCheck/issues/4044#issuecomment-1030828651

Take a look at the **[Known Affected Software Configurations](https://nvd.nist.gov/vuln/detail/cve-2016-1000027)** and you will see that it says everything up to 6.0.0 is affected. You can contact the NVD if you feel...

We accept PRs

See how the CVE at the NVD says "AWAITING ANALYSIS" in the yellow warning bar? The CVE still is not complete in the NVD data as it has no affected...

ODC uses several sources of vulnerabilities. If only using the NVD (for instance in this case if you disabled the OSS Index Analyzer) the CVE would likely not show up...

Turn off the OSS Index Analyzer and run your tests again. Hopefully, that will help you understand how ODC works.

See https://github.com/jeremylong/DependencyCheck/blob/39631db5a88ed2153435abd2630d8e32518aebc1/utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java#L194 So `-Dnvd.api.datafeed.url=https://some.site` should work.

disable the node package analyzer - its garbage and needs to be re-written. If you use just the node audit analyzer - it is really no different the just running...

@aikebah do you see why this is happening?