Closed alexpugna closed 4 years ago
According to OSS Index, it's vulnerable. https://ossindex.sonatype.org/component/pkg:maven/org.apache.tika/tika-core@1.6-20160727-alfresco-patched
So either OSS Index is not enabled in Dependency-Track or there's connectivity issues, in which case you may want to check the logs.
Refer to: https://docs.dependencytrack.org/analysis-types/known-vulnerabilities/ https://docs.dependencytrack.org/datasources/ossindex/
OSS Index was not enabled in Dependency-Track Thanks for your help
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
We currently use Dependency-Check and I am trialling Dependancy-Track. I have deployed the Executable WAR and imported a cyclonedx BOM. Dependancy-Track is incorrectly reporting that the project has no vulnerabilities. I have focused on only one vulnerability as an example below.
Current Behavior:
CVE-2016-6809 (for Apache Tika before 1.14) is in the vulnerability list however it shows no affected projects. The following component has no vulnerabilities listed:
Steps to Reproduce:
java -Xmx4G -jar dependency-track-embedded.war -port 9999
Expected Behavior:
org.apache.tika tika-core 1.6-20160727-alfresco-patched should be linked to CVE-2016-6809
Environment:
Additional Details:
No stack-traces in logs or obviously related error messages.