dependency check plugin results for OWASP benchmark

[Arbi Sookazian]

Hi,

Just found this: https://www.owasp.org/index.php/Benchmark#tab=Main

Have there been any results reported on the dependency check maven plugin tool in terms of this benchmarking?  If yes, where can we view them?

Also, at one point I had found a list of vulnerability database which was more extensive than the list here: https://danielmiessler.com/study/vulnerability-database-resources/#gs.NHURN4g

Is it possible that the dependency check maven plugin will potentially miss some if they are not in the NVD?

Thanks.

[Jeremy Long]

First, to my knowledge there are no benchmark tests for Software Composition Analysis tools. Might be something to talk to that project about.

Regarding vulnerability sources, currently dependency-check only uses the NVD. Most other vulnerability data sources are commercial and require licensing.

--Jeremy

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-check+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.