Hi,
I use the Dependency-Check Maven plugin with the aggregate goal in a Maven multi-module project.
I also use the Dependency-Check Jenkins plugin pointing to the project folder.
Both use the same Dependency-Check v1.3.6.
Both generate an html report with different results because the Jenkins plugin scans files and the Maven plugin works with pom.xml's information.
So they don't analyze the same group of files. Since Jenkins analyzes more files I already expected to find more vulnerabilities using Jenkins.
But there are some vulnerable dependencies found using Maven plugin that are not found using Jenkins plugin.
Example:
Maven finds this vulnerable dependency:
blazeds-common-3.2.0.3978.jar cpe:/a:adobe:blazeds:3.2.0.3978 com.adobe.blazeds:blazeds-common:3.2.0.3978 High 2 LOW 14
And Jenkins does not show blazeds-common-3.2.0.3978.jar as a vulnerable dependency although it can be found in the project folders.
How can be this possible? Thank you,