Hello All,
We've been working for awhile to have the OWASP dependency check plugin to work with the Quarkus [1] project dependencies, as part of the issue [2].
Most of the Quarkus tags, as well as the other Quarkus IO [3] libraries (quarkus-security, quarkus-http. gizmo) have been registered as NVD CPE entries [4].
Our committer Loïc Mathieu has been verifying how the OWASP plugin works. Initially we were getting false positives when the main Quarkus tags were not registered in NVD. That specific problem has been resolved once we registered the main tag, for example,
etc.
Note the CPE product qualifier is `quarkus`.
Next, Loïc has reported that the plugin reports the false positives against the other QuarkusIO libraries such as `quarkus-security` which the main Quarkus project depends upon.
So we followed with registering `quarkus:quarkus-security`, `quarkus:quarkus-http` and `quarkus:gizmo` (product qualifier is still `quarkus`).
However it did not resolve the problem and as you can see from the comments at [5],
`quarkus:quarkus-security` is ignored and the false positive against `quarkus-security` is still reported as the plugin assumes that `quarkus:quarkus` is the closest match.
I've tried to fix this problem to have a different product qualifier registered for `quarkus-security`/etc, replace quarkus: quarkus-security` as `quarkus-security:quarkus-security`, etc - but the CPE team did not accept this update - they believe `quarkus` is a correct product qualifier (for all the projects at QuarkusIO).
I believe the users can register the exception rules to avoid the plugin reporting the false positives against, in our case, `quarkus-security` (and other QuarkusIO libraries the main Quarkus project depends upon).
However, ideally, we'd like it just to work for our users.
Can you recommend please what can be done for the plugin to avoid matching `quarkus:quarkus-security` against `quarkus:quarkus`, etc ?
Thanks, Sergey