Closed mischoem closed 3 weeks ago
The solution is to simply create a suppression file for you scans.
The solution is to simply create a suppression file for you scans. Hi @jeremylong,
Thanks for the quick response! Suppressing this one case might be a good workaround for us, but I (and my colleagues) can't believe that the behavior shown in the simple example above is the expected behavior of the tool.
When using a Lucene index: Could this issue be related to the standard tokenization in Lucene, which splits tokens at dashes, making it difficult for the search to differentiate between "liquibase core" and "foo liquibase core"?
This could get better for some analysis when we change to a different data source (see https://github.com/jeremylong/DependencyCheck/issues/6540). But for now - this is how it works.
If the matching was more strict in the lucene index - we would end up having false positives instead of false negatives.
wow, I just reread what I wrote and I flipped the false positives and negatives. If we used stricter matching in the lucene index there would be more false negatives.
Describe the bug We wrote an convinient wrapper regarding liquibase. Because of our architectural requirements we have to call that artifact "techbase-liquibase-core", and we release it in a lower version than the "real" liquibase-core in its dependencies. The CVE check treats "our" version same as the "real" liquibase-core and points out a CVE that is not existing. As you can see in the attached example, seems that every dependency, thats artifacts name is similar to or containing the literal "liquibase-core" is treated as "liquibase-core".
Version of dependency-check used Maven -> dependency-check-maven:10.0.3:aggregate
Log file I added a small maven project, where you can recreate the behaviour easily. Just call "mvn verify" on the root project. It contains two modules in a Reactor: 1) foo-liquibase-core: contains a Dummy class, nothing to worry about and no dependencies 2) a-client: uses foo-liquibase-core as dependency
To Reproduce Steps to reproduce the behavior:
Expected behavior No CVE findings and no matching to the real "liquibase-core"
Additional context