false positive in case of same dependency coming from multiple places

25 views
Skip to first unread message

Piyush Mittal

unread,
Aug 23, 2017, 11:35:02 AM8/23/17
to Dependency Check
I am doing dependency management via Maven. In my root POM I have defined latest secured version of dependency X to be used. Two of the dependencies Y & Z directly specified in my POM uses dependency X but vulnerable version. ODC is reporting security vulnerabilities; however, I am not vulnerable as I have defined in my parent POM latest version of X to be used. Maven dependency tree also shows latest version of dependency X. 
How to suppress or remove this false positive? Wondering if there is way to make ODC work only on Maven dependency tree output.

Jeremy Long

unread,
Aug 24, 2017, 6:10:25 AM8/24/17
to Piyush Mittal, Dependency Check
Is there any chance you could provide a sample POM with this behavior? The ODC maven plugin should be using the same dependency tree as Maven.

Also, if you are able to provide a sample pom.xml could you please open an issue on the github repo?

Best Regards,

Jeremy 

On Wed, Aug 23, 2017 at 11:35 AM, Piyush Mittal <piyus...@gmail.com> wrote:
I am doing dependency management via Maven. In my root POM I have defined latest secured version of dependency X to be used. Two of the dependencies Y & Z directly specified in my POM uses dependency X but vulnerable version. ODC is reporting security vulnerabilities; however, I am not vulnerable as I have defined in my parent POM latest version of X to be used. Maven dependency tree also shows latest version of dependency X. 
How to suppress or remove this false positive? Wondering if there is way to make ODC work only on Maven dependency tree output.

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-check+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Piyush Mittal

unread,
Aug 31, 2017, 9:42:40 AM8/31/17
to Dependency Check, piyus...@gmail.com
I will try to replicate the same with a test project so that I can share that with you.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages