Closed qw1212 closed 6 months ago
Discrepancy appears to be due to an error in your other tool wrongly attributing the JDBC driver to cpe:2.3:a:sqlite:sqlite
instead of cpe:2.3:a:sqlite_jdbc_project:sqlite_jdbc
https://www.sqlite.org/cves.html documents the CVE to exist in an extension that needs to be explicitly enabled on compile.
The CVE is neither listed by OSSINDEX (which would make it reported by the OSSINDEX analyzer), nor Snyk (another easily googleable vulnerabilities resource, which is not consulted by dependencycheck as their API is only accesible for customers) for your exact version of the library.
I have encountered an issue where other scanning tools can detect CVE-2023-7104, but dependencyCheck fails to identify it. Why this discrepancy exists?
DependencyCheck: another nvd tool:
The scan command I am using is as follows. /opt/dependency-check/bin/dependency-check.sh --project "sqlite-jdbc-3.36.0.3.jar" --scan "sqlite-jdbc-3.36.0.3.jar" --junitFailOnCVSS 7 --disableGolangDep --disableGolangMod --format ALL --nvdValidForHours 24 --nvdApiKey xxxxx --nvdDatafeed http://nvdmirror.xxxxx.com/nvdcve-{0}.json.gz --retireJsUrl http://maven.xxxxx.com/repository/tizi/Retirejs/jsrepository.json
How to address this issue within the dependencyCheck tool? Could anyone lend a hand?