I was running a comparison between WhiteSource and Dependency Check. I created a Microsoft Windows console app project which uses the nuget package System.Net.Security v.4.3.0 (see attached picture msNuget.jpg).
I then ran dependency check on the output catalogue and got the attached report which shows no vulnerabilities. Unfortunately there is a vulnerability CVE-2017-0249
Can help me as to why the vulnerability was not reported?
I set the copy local flag on the System.Net.Security reference so that the dll would be physically present in the output catalogue scanned (see attached picture nuget_output.jpg). Do we have to do this if we are using dependency check? Or can it pick up references like say DotPeek does. I also downloaded manually the nuget package 4.3.0 and checked the version of the dll against the file version in my output catalogie just to double check I had the same dll.
To recreate the problem
1. Create a new class library or console project in visual studio.
2. Under the project properties set the Traget Framework to .Net Framework 4.6
3. Under the package manager console window install the vulnerable package
Install-Package System.Net.Security -Version 4.3.0
4. Under references select the System.Net.Security reference and set the copy local property to "true"
5. Build the project
6. Run the dependency check on the output catalogue e.g..
dependency-check.bat --project "test" --scan "C:\DependTest\DependTest\bin\Debug"
Or alternatively download the solution from this onedrive link, build and run the dependency check
/shane