Because this only checks the group and name, and not version, this resolves the most recent version of that dependency in the cache. If you have more than one version in your cache and you are not using the newest one, you may be getting false negatives, because the plugin is not checking the file you are using.
This can also cause false positives if you calculate & record your checksum before adding a newer version of the dependency to your cache because Witness will compare the hash of the most recent version to the hash you recorded from the older version.
Witness currently resolves the dependency file with the following code:
Because this only checks the group and name, and not version, this resolves the most recent version of that dependency in the cache. If you have more than one version in your cache and you are not using the newest one, you may be getting false negatives, because the plugin is not checking the file you are using.
This can also cause false positives if you calculate & record your checksum before adding a newer version of the dependency to your cache because Witness will compare the hash of the most recent version to the hash you recorded from the older version.