core.async false positive

[seancorfield]

See jeremylong/DependencyCheck#4384 (comment) for background.

I thought clj-watson wrapped that library and therefore false positive fixes there would automatically apply to clj-watson, but I see core.async flagged as a FP with the latest clj-watson so I'm wondering what the actual wrapping is and why FP fixes wouldn't apply?

I can (and have) easily applied a suppression locally for my clj-watson config but feel like I shouldn't need to?

[seancorfield]

I added org.owasp/dependency-check-core {:mvn/version "RELEASE"} to my :watson alias to override the version used -- which pulled 7.4.0 from Maven (not 7.3.2 which I was expecting) -- and that got rid of both FPs I had suppressions for.

Perhaps worth a new release with all the deps updated?

Or suggest in the README that folks should add that dependency to always get the latest version? ("RELEASE" is unsupported so maybe link to https://search.maven.org/artifact/org.owasp/dependency-check-core so folks can find the most recent version to use?).

[mthbernardes]

Hi @seancorfield thx for the issue, sorry for the late answer, but I released a new version of clj-watson 😄

[seancorfield]

Thanks. I'll update our build.clj at work to use that -- but I'll probably continue to override the o.owasp.d-c-c dep with "RELEASE" so that we continue to automatically get the very latest of that without needing clj-watson to be updated. At least until it breaks...