is it possible to consolidate the results?

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

https://owasp.org/www-project-dependency-check/

Apache License 2.0

6.39k stars 1.27k forks source link

is it possible to consolidate the results? #5109

Open simondivi opened 1 year ago

simondivi commented 1 year ago

For example the dojo-1.16.3-distribution.zip has a lot of files and all of them report to have the exact same vulnerabilies. This blows up the number of found issues. Can this be avoided and the zip file be counted only once?

jeremylong commented 1 year ago

Do you have a link to dojo-1.16.3-distribution.zip?

simondivi commented 1 year ago

Sure - sorry - here it is https://mvnrepository.com/artifact/org.dojotoolkit/dojo/1.16.3 we have a dependency through: https://mvnrepository.com/artifact/org.apache.qpid/qpid-broker-plugins-management-http

jeremylong commented 1 year ago

Sorry for the delay on this - but I am unable to reproduce the issue using the maven plugin.

simondivi commented 1 year ago

Thanks for looking into it. I have created a reproducer: https://github.com/simondivi/DependencyCheck-5109 Edit: It is using gradle but I believe it should behave the same?