Howdy,
re org.owasp:dependency-check-maven:3.0.2:check Maven plugin invocation...
My project has layout like this:
- parent
- module A
- ...
- assemblies
- distro/assembly pulling in module A among other deps
The above invocation reports in module
- A: "all fine" (no vulns)
- distro: that module A is vulnerable
Remarks:
- A is obviously false identified (see below)
- due to false identifications, A reported as vulnerable
Proposal:
IMHO, the distro dependency A, that is in-reactor module, should be left out from analysis.
I have not created a reproducer, but I think one can craft easily one (as I see, it depends very much on module A, B and C names / artifactId. Using name like "elasticsearch" for A, with project version 1.0 should do it -> causes to identify A module in distro as "elasticsearch-1.0" and it IS vulnerable).
Here is an example (anonymized, not open project yet) output from my project:
elasticsearch-1.0.0-SNAPSHOT.jar (cpe:/a:id:id-software:1.0.0, cpe:/a:elasticsearch:elasticsearch:1.0.0, XXXXX:elasticsearch:1.0.0-SNAPSHOT) : CVE-2014-3120, CVE-2015-1427, CVE-2015-5531, CVE-2014-6439, CVE-2015-3337
As I see, due to module name (artifactId) it matches it with CPEs, and then finds problems. But IMHO, the module (in-reactor) should not be matched at all, as it is just being built, as part of reactor.
Am I missing something here?
Thanks,
Tamas