Hans Aikema

Trialling with a few versions learns that at least back to 6.0.0 the duplicate dependencies exist, but up to 6.1.6 the duplicates (at least if resolvable) get bundled up with...

> > Or is it perhaps possible to bind DC to a phase before install instead of its default phase verify? verify phase is before install in the [default maven...

@jeremylong my gut feel would be that it's because the CPE is coming from Sonatype OSSINDEX rather than NVD streams (NVD uses cpe:/a:grpc:grpc). Could it be that cpe suppression only...

@tobiasstadler As a side note: Are you aware that this module has changed coordinates ages ago for version 2.x? https://mvnrepository.com/artifact/org.codehaus.jackson/jackson-xc

Gut feel: reported as `CVE-2021-23440 (OSSINDEX)` OSSINDEX has their own security researchers and they judge whether something was really fixed in a certain version, and if not, they register the...

Note: based on the comments in the PR the fix appears to not have been backported to the 2.x releases and only fixed in 4.x, so at first glance it...

The definitive resolution of this issue (removal of the code) is tracked by Spring-security as https://github.com/spring-projects/spring-security/issues/8980 and currently linked to their 6.0.x milestone

What Java version do you use? Looks a lot like https://stackoverflow.com/questions/41806422/java-web-start-unable-to-tunnel-through-proxy-since-java-8-update-111 For which the codebase has the mentioned fix in place https://github.com/jeremylong/DependencyCheck/blob/c236dbf3b63ad3cc229a6a079a244d354da5ce46/utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java#L99 but maybe for your version of Java they...

Or maybe it never worked, but people needing this already had the local JVM patched with the same. See also https://github.com/jeremylong/DependencyCheck/issues/718

Your screenshot shows a modified, but unsaved batch-file. Are you sure you saved before running?