Zach,
For some reason,
CVE-2017-7525 and
CVE-2017-15095 are currently not available in the NVD. If the vulnerability is not in the NVD data feed it will not be reported on. I just used the dependency-check-maven plugin with the following dependency and CVE-2017-17486 was identified:
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.8.3</version>
</dependency>
How are you using dependency-check? Command line, Jenkins pliugin, ant task, maven plugin, gradle plugin, sbt plugin, or lein plugin? In addition, which version number of dependency-check are you using?
--Jeremy