Feature request: DotNet configure version

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

https://owasp.org/www-project-dependency-check/

Apache License 2.0

6.46k stars 1.28k forks source link

Feature request: DotNet configure version #3424

Closed Marvin-Brouwer closed 3 years ago

Marvin-Brouwer commented 3 years ago

I noticed I got some vulnerability reports on NuGet packages that were reported for netcore2.1 and lower however, my application is on netcore3.1. Because of that, I'd like to have a flag where I can set the dotnet version to eliminate the need of suppressing every vulnerability that is not applicable.

jeremylong commented 3 years ago

Sounds like you have some false positives. I'd rather see which dependencies are causing the misidentification and fix the engine. Some of them may already be flagged as issues with the FP Report label.

jeremylong commented 3 years ago

I have no intention of building a feature to specify the .net version and hide related vulnerabilities. Instead, we need to tune the engine.