Describe the bug
Suddenly, we got reports of a bunch of vulnerabilities on the github.com/coreos/go-systemd/v22:22.5.0 package. Some of the vulnerabilities are 10+ years old. I believe that these vulnerabilities are related to the linux systemd suite, and not go-systemd itself. Could it be that DependencyCheck does a contains on the dependency strings, and finds systemd in go-systemd?
Version of dependency-check used
The problem occurs using version 9.0.7 of the cli via the Jenkins plugin
Log file
Not needed in this case, the check itself is successful and the report is generated.
Describe the bug Suddenly, we got reports of a bunch of vulnerabilities on the
github.com/coreos/go-systemd/v22:22.5.0
package. Some of the vulnerabilities are 10+ years old. I believe that these vulnerabilities are related to the linuxsystemd
suite, and notgo-systemd
itself. Could it be that DependencyCheck does acontains
on the dependency strings, and findssystemd
ingo-systemd
?Version of dependency-check used The problem occurs using version 9.0.7 of the cli via the Jenkins plugin
Log file Not needed in this case, the check itself is successful and the report is generated.
To Reproduce Steps to reproduce the behavior:
git clone https://github.com/rs/zerolog
dependency-check --scan ./ --exclude "submodules/**" "vendor/**" ".scannerwork/**" --disableAssembly --enableExperimental --nvdApiDelay 2500 --format HTML --nvdApiKey xxx
Expected behavior No vulnerabilities are reported for the dependency (https://snyk.io/advisor/golang/github.com/coreos/go-systemd/v22)
Additional context Happy to provide more info if needed