Steady's vulnerability reports for the com.fasterxml.jackson.core:jackson-databind 2.0.0, 2.6.5, and 2.8.0 projects are completely identical.

[momo-tong]

Describe the bug Steady's vulnerability reports for the com.fasterxml.jackson.core:jackson-databind 2.0.0, 2.6.5, and 2.8.0 projects are completely identical.

My objective is to analyze the vulnerabilities of the com.fasterxml.jackson.core:jackson-databind 2.0.0, 2.6.5, and 2.8.0 versions. Since Steady only analyzes vulnerabilities for third-party dependencies using a POM configuration file, I have created my own configuration file. Steady analyzed the com.fasterxml.jackson.core:jackson-databind software for the three versions mentioned. The CVE reported on the Steady webpage are identical. Additionally, I used Steady to scan the JAR files for versions 2.0.0 and 2.6.5, and the vulnerability reports for all versions are also identical. I have updated the database to the latest.

Can you provide me with some assistance to resolve or explain this issue? Thanks very much!

To Reproduce my own configuration file

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>org.example</groupId>
    <artifactId>untitled</artifactId>
    <version>2.0.0-SNAPSHOT</version>

    <properties>
        <maven.compiler.source>11</maven.compiler.source>
        <maven.compiler.target>11</maven.compiler.target>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    </properties>

    <dependencies>
        <dependency>
            <groupId>com.fasterxml.jackson.core</groupId>
            <artifactId>jackson-databind</artifactId>
            <version>2.0.0</version>
            <scope>compile</scope>
        </dependency>
    </dependencies>

</project>

the command

#sudo java -Xms2048m  -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal app
#sudo java -Xms2048m  -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal a2c
#sudo java -Xms2048m  -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal upload
#sudo java -Xms2048m  -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal report

Steady result

RUNTIME direct jackson-databind-2.6.5.jar CVE-2017-17485 9.8 (v3.1) RUNTIME direct jackson-databind-2.6.5.jar CVE-2017-7525 9.8 (v3.1) RUNTIME direct jackson-databind-2.6.5.jar CVE-2018-11307 9.8 (v3.1) RUNTIME direct jackson-databind-2.6.5.jar CVE-2018-12022 7.5 (v3.0) RUNTIME direct jackson-databind-2.6.5.jar CVE-2018-12023 7.5 (v3.0) RUNTIME direct jackson-databind-2.6.5.jar CVE-2018-5968 8.1 (v3.1) RUNTIME direct jackson-databind-2.6.5.jar CVE-2018-7489 9.8 (v3.0) RUNTIME direct jackson-databind-2.6.5.jar CVE-2019-14540 9.8 (v3.1) RUNTIME direct jackson-databind-2.6.5.jar CVE-2019-16335 9.8 (v3.1) RUNTIME direct jackson-databind-2.6.5.jar CVE-2020-36518 7.5 (v3.1)