Open gosusnkr opened 2 years ago
"Well, 6.0.5 is a very dated version, likely the improvements in the new releases improved version detection, so your solution would be to update to a maintained version of DependencyCheck."
Edit: only later spotted that you indicate that you tried running with 6.4.1 but failed with the same result.
My gut feel would be (no experience with the .NET assembly analysis part) is that a difference in locally available .NET tooling may be at the root cause of the difference.
I have downloaded the latest version. Still, I'm getting wildcards on my report. When my colleague did it, he was getting exact versions.
You don't get wildcards, you get a shortened version number detected not reflecting the exact patch level (assuming that you and your colleague do get/resolve the exact same version of the DevExpress DLL).
While I don't know the full details, I do know that underneath it's using the .NET Core libraries (https://jeremylong.github.io/DependencyCheck/analyzers/assembly-analyzer.html). Are you and your colleague 100% in sync in .NET version installed on your system?
Of course also check that you and your colleague are indeed fully in sync (e.g. same sha256 hash value for the file) on the DevExpress DLL.
To me - it looks like you and your colleague have different versions of the DLL.
I just found some difficulty in the scanner while I tried to run the scan with 6.0.5 When I scanned with 6.0.5 I got the result like below
When my vendor scanned with version 6.4.1 on same package, he didn't received any results.
I'm thought this might be because in my scan scanner used wildcards in the package version and older version of scanner, the I downloaded the new scanner with version 6.4.1, still I got the result with wild cards in package version.
I didn't find any solution how to teach my scanner to take exact version from the package. Please suggest me on the same.