determining minimum version for a dependency cited in multiple CVEs after running analysis

[Arbi Sookazian]

Hello,

We created a custom goal we have for a custom Maven mojo which creates an xlsx from the dependency-check-report.xml output, etc.  I am going thru a custom xlsx that we create as a result of dependency-check:aggregate execution on our master project.  

If we need to determine which minimum version of Apache HTTP server (httpd) or some other dependency/artifact which was analyzed and which was referenced in multiple CVEs from different years and different ranges of version cited in the CVEs as being problematic, how will we best determine which minimum version of that dependency we should use in our project(s) which will resolve all the CVEs in which that dependency is cited?  Currently it seems it must be a manual process, correct?

[Jeremy Long]

Note, in 2.1.0 there is a CSV report. While not completed yet, take a look at how you can get the available version numbers from Maven: https://github.com/jeremylong/DependencyCheck/commit/d06d561a55fbf309395f176ca18d547afddd7acf

The plan will be to eventually bump that list up against the vulnerable versions in the database and provide a list of possible upgrades.  This will likely only be available in Maven and Gradle when the feature is complete.

--Jeremy

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-check+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.