Hans Aikema

The provider is released as part of the keycloak project; DependencyCheck project is not attributing NVD CPE associated vulnerabilities to sub-libraries of the CPE

approved

Resolved with #6408

The provider is released as part of the keycloak project; DependencyCheck project is not attributing NVD CPE associated vulnerabilities to sub-libraries of the CPE

resolved with #6408

`https://nexsus-server/nexus/repository/binaries/xx/xxx/xxx/` are you sure that's not a typo and should be `nexus-server` instead?

@Jeremy, they likely use a (corporate standard) parent-pom that configures Dependency-check with a custom property, so that it can be overridden (in maven settings.xml or with -D properties on the...

> > `https://nexsus-server/nexus/repository/binaries/xx/xxx/xxx/` are you sure that's not a typo and should be `nexus-server` instead? > > Sure it is a typo, I've changed the real nexus address, just to...

@RobSHK ``` [DEBUG] Setting: odc.autoupdate='false' ``` You have disabled auto-update, but some other job has put an empty hosted suppression in the cache The 'forced update' signalled by the warning...

Within the DependencyCheck dataDirectory just like the other caches. If you did not modify the default location it would be within your Maven local repository as documented at http://jeremylong.github.io/DependencyCheck/dependency-check-maven/configuration.html A...