You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
Looking under the evidence section in the report would show versions added through hints before version 8.4.0 of dependency check. Using the maven plugin (haven't tested with others so they might be affected).
I don't know if the issue is just in the report and if the added version is considered correctly when scanning or not.
Version of dependency-check used
The problem occurs using version 8.4.0 of the maven plugin
Log file
When reporting errors, 99% of the time log file output is required. Please post the log file as a gist and provide a link in the new issue.
To Reproduce
Steps to reproduce the behavior:
Can be reproduced with the following pom, running mvn dependency-check:check:
hibernate-validator has a version added from the default hints, but it doesn't show up in the report. Running the same pom but with version 8.3.1 instead shows the version under evidence in the report.
Expected behavior
The report should show the added version under evidence.
Additional context
I assume that this is related to #5812 and #5818
The text was updated successfully, but these errors were encountered:
Unanticipated side-effect of that change indeed. For this specific case not harmful. The original inclusion of this hint was a hack targeted at resolving a false-negative (#534) that is nowadays cleanly resolved ever since NVD has switched to JSON datafeed which allowed dependencyCheck to properly link the CVE independent from the version hint. Both 8.3.1 and 8.4.0 report CVE-2014-3558, the earlier false-negative that was the original purpose of the version 5.0 hint.
Describe the bug
Looking under the evidence section in the report would show versions added through hints before version 8.4.0 of dependency check. Using the maven plugin (haven't tested with others so they might be affected).
I don't know if the issue is just in the report and if the added version is considered correctly when scanning or not.
Version of dependency-check used
The problem occurs using version 8.4.0 of the maven plugin
Log file
When reporting errors, 99% of the time log file output is required. Please post the log file as a gist and provide a link in the new issue.
To Reproduce
Steps to reproduce the behavior:
Can be reproduced with the following pom, running
mvn dependency-check:check
:hibernate-validator has a version added from the default hints, but it doesn't show up in the report. Running the same pom but with version 8.3.1 instead shows the version under evidence in the report.
Expected behavior
The report should show the added version under evidence.
Additional context
I assume that this is related to #5812 and #5818
The text was updated successfully, but these errors were encountered: