Closed antonmos closed 5 months ago
H antonmos, thanks for the report.
I understand that false positives can be skipped locally and should be reported to DependencyCheck.
Did you visit the links?
Yes, I visited the links :).
The reason I opened this issue is that i suspected the solution is clojure-specific. However, I looked closer at the output of the report output and I am suspecting the cpe spec is wrong
core.specs.alpha-0.2.44.jar cpe:2.3:a:clojure:clojure:0.2.44:*:*:*:*:*:*:* pkg:maven/org.clojure/core.specs.alpha@0.2.44 CRITICAL 1 Highest 17
spec.alpha-0.2.176.jar cpe:2.3:a:clojure:clojure:0.2.176:*:*:*:*:*:*:* pkg:maven/org.clojure/spec.alpha@0.2.176 CRITICAL 1 Highest 26
found a relevant issue https://github.com/jeremylong/DependencyCheck/issues/6438
Thanks!
Although it's unfortunate/ironical that nvd-clojure misdiagnoses something so closely relatedly to Clojure, in the end we're a https://github.com/jeremylong/DependencyCheck wrapper to all such bugs are on them.
(And similarly, they can only do so much when the specs/data from NVD are ambiguous. Ideally the NVD would simply use Maven coordinates instead of CPEs)
Description
Given
Run nvd clojure:
Output:
Version
4.0.0
Java version
Installation compliance