Hans Aikema

Is there a longer stacktrace you can share? This clearly relates to character set issues while processing filenames from a zip-file, but would like to have some pointers on where...

If there is no stacktrace it would also be helpful if you could share a dummy project / scan that exhibits this behavior so that we can reproduce and debug...

No and none is planned. In reports there are the project modules that have it as a (direct or transitive) dependency. From there on you need to use your project...

Some proxy that delivers you an incomplete datastream without signalling an error. On the next run ODC should re-attempt the download (as it nowadays disposes apparently faulty downloads from the...

Behaviour seems appropriate to me. According to what you state the revision property is properly substituted to the version of your library. I suspect from the minimal description that you...

Note that for Maven projects you typically get much better results (fewer FPs) when you use the Maven plugin instead of the CLI to scan your project. `mvn org.owasp:dependency-check-maven:7.1.1:check`

Running the 7.1.1 gradle plugin doesn't yield the listed CPEs for me (and therefor not the CVEs associated with older versions of spring-security libraries) spring-boot-starter-oauth2-resource-server-2.7.0.jar gets associated only with ```...

@jeremylong @jlstephens89 Think we can close this now? Or are there still reports in the comments that require follow-up?

> @aikebah as far as I understand, dependency-check still needs updating to handle the change. Then OSSIndex can stop hiding it from dependency-check user agents. Ah right... after carefully reading...

A local test with a modified current snapshot (modified user-agent, so that useragent based response filtering at Sonatype OSSIndex will not kick in) appears to suggest that the issue is...