osv-scanner icon indicating copy to clipboard operation
osv-scanner copied to clipboard

Published 20 hours ago verified publisher icon google

maven dependency but no version

Open jsqfengbao opened this issue 7 months ago • 5 comments

Maven dependency but no version comes from three places, one is the version number defined by dependencyManagement, one is the version number of parent, and one is that other dependencies have it but it is redefined here. These three situations depend on Maven's build mechanism: https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html Now the question is, if Maven dependency but no version. Then osv-scanner will not extract it. Is there such a vulnerability, but it is not detected by osv-scanner?

jsqfengbao avatar Jul 16 '24 02:07 jsqfengbao