Hi,
We are using
junit 4.12 in our Java code and the dependency-check-maven plugin in our CI so I was wondering why it wasn't reported.
For testing purposes I added the following dependencies in our 'pom.xml' file:
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>19.0</version>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.12</version>
</dependency>
I executed the plugin directly from maven by executing:
mvn org.owasp:dependency-check-maven:6.0.3:check
In the console output and in 'dependency-check-report.html' the CVE on the guava version is reported:
guava-19.0.jar (pkg:maven/com.google.guava/guava@19.0, cpe:2.3:a:google:guava:19.0:*:*:*:*:*:*:*) : CVE-2018-10237
But the dependency on junit 4.12 is not reported anywhere.
I opened up the local NVD database and found an entry for the junit CVE so I'm missing why there's nothing reported for junit 4.12.
Can someone tell me why it's not being reported?
Kind regards
Marco