search

dependency-check / dependency-check-gradle

The dependency-check gradle plugin is a Software Composition Analysis (SCA) tool that allows projects to monitor dependent libraries for known, published vulnerabilities.
http://jeremylong.github.io/DependencyCheck/
Apache License 2.0
360 stars 94 forks source link

False positives with conflicted version resolution #370

Closed scottkennedy closed 8 months ago

scottkennedy commented 8 months ago

I'm seeing a reported issue with gson-2.8.5.jar,

with:

Included by:
pkg:maven/com.plaid/plaid-java@18.0.0

But the dependency graph has:

+--- com.plaid:plaid-java:18.0.0
|    +--- com.squareup.retrofit2:retrofit:2.9.0
|    |    \--- com.squareup.okhttp3:okhttp:3.14.9 -> 4.11.0 (*)
|    +--- com.squareup.retrofit2:converter-gson:2.9.0
|    |    +--- com.squareup.retrofit2:retrofit:2.9.0 (*)
|    |    \--- com.google.code.gson:gson:2.8.5 -> 2.10.1

Due to a newer version of gson being included elsewhere, Gradle is resolving that old transitive dependency to 2.10.1, and including that in the build.

Every gson line in the dependency graph is com.google.code.gson:gson:2.8.5 -> 2.10.1. I can't see any actual instance of 2.8.5 being included in the build.

jeremylong commented 8 months ago

Does the report list both versions?

scottkennedy commented 8 months ago

The report from dependency-check-gradle only lists 2.8.5. Everything in the Gradle dependency graph shows it's resolved to 2.10.1.

scottkennedy commented 8 months ago

Hmm I added a constraint, and it resolved this. So, never mind.