Jeremy Long
Jeremy Long
Has anyone contacted the OSS Index team regarding this? This differs greatly from the CVE: https://ossindex.sonatype.org/vulnerability/sonatype-2017-0348?component-type=maven&component-name=xerces%2FxercesImpl&utm_source=dependency-check&utm_medium=integration&utm_content=7.1.1
Yes - I will likely be merging this before the next release. I haven't had as much time to focus on ODC as I have in the past due to...
I've been off and on looking at this as time permits - I haven't been able to figure out why this PR breaks 629 and does not suppress the CVE...
The reason these are getting flagged is because we rely on the NVD data. If you look here: https://nvd.nist.gov/vuln/detail/CVE-2018-1258 https://nvd.nist.gov/vuln/detail/CVE-2018-1258/cpes?expandCpeRanges=true You can see that they have some inaccurate data that...
Actually - after taking a second look the issue is that ODC does not utilize the `AND` capabilities within the NVD. This might take a while to resolve. In the...
The entire set of dependencies used by the application is contained at the Engine level. If we had the and/or relationships stored - processing them would not be that difficult...
One of the issues is that we may not even have a CVSS score - if the vulnerability comes from OSS, NPM, RetireJS, etc. At the moment - we check...
Any chance you have an example `pom.xml` or `build.gradle`?
This is unfortunately one of the issues with the [evidence based library identification process](https://jeremylong.github.io/DependencyCheck/general/internals.html) used by dependency-check. Without a major re-work of ODC the best that can be done is...
OWASP dependency-check is a command line tool. Run the `.bat` file from the command prompt.