Closed vidgeus closed 1 year ago
The data source is independent - but the evidence and identification is different when using the CLI vs a build plugin. We always recommend the use of a build plugin over the CLI (or docker image). This is expected behavior due to how dependency-check works.
@jeremylong My question is actually this one but reading the answer I believe it might be a confusion, in terms of the original question, the point is that two different versions of the same gradle plugin produce different results. I did not expect that CLI or gradle plugin could yield different results, but same gradle plugin, one 8.2.1
and the other 8.1.0
should yield the same results right?
Did you actually look at the "vulnerability" reported by 8.1.0? I bet it looks like a false positive.... Most version upgrades include some level of false positive reduction.
Thank you @jeremylong for the clarification I appreciate it, it looked a false positive indeed
Recreation steps: in my project i use the following build.gradle:
When I run the
dependencyCheckAnalyze
gradle task I get the following vulnerability (just snakeyaml):But when I change the OWASP version in the
build.gradle
from8.2.1
to8.1.0
then I get different vulnerabilities (snakeyaml & jackson-core):Notes: I ran
dependencyCheckPurge
&dependencyCheckUpdate
in both cases to ensure a "clean" recreation of the issue.The problem: why do different versions of OWASP yield different vulnerabilities? Isn't the vulnerability data source independent from the OWASP releases?