https://dimitri.codes/dependency-vulnerability-checks-sonarqube

[utterances-bot]

Dependency vulnerability checks with SonarQube | Dimitri's tutorials

With recent vulnerabilities like Log4Shell and SpringShell, we're reminded of the importance of updating your dependencies. In this tutorial I'll show you how OWASP and SonarQube can help you with that.

https://dimitr.im/dependency-vulnerability-checks-sonarqube

[milyas-salik]

We integrated Dependency check plugin 6.5.3 in Azure CI with OWASP Dependency Check task.

We noticed it throws the non relative information for the DLL.

Example: Filename: Microsoft.CSharp.zip: Microsoft.CSharp.dll | Reference: CVE-2015-1671 | CVSS Score: 9.3 | Category: CWE-19 | The Windows DirectWrite library, as used in Microsoft .NET Framework 3.0 SP2, 3.5, 3.5.1, 4, 4.5, 4.5.1, and 4.5.2; Office 2007 SP3 and 2010 SP2; Live Meeting 2007 Console; Lync 2010; Lync 2010 Attendee; Lync 2013 SP1; Lync Basic 2013 SP1; Silverlight 5 before 5.1.40416.00; and Silverlight 5 Developer Runtime before 5.1.40416.00, allows remote attackers to execute arbitrary code via a crafted TrueType font, aka "TrueType Font Parsing Vulnerability."

Its pointing DLL used Microsoft.CSharp.zip but displays the vulnerability for DirectWrite library. Not sure about the reason, is it a known issue or do we need to check it in different way. Pls guid.