-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DependencyCheck does not find some vulnerabilities for composer.lock file scan #1387
Comments
Thank you for the bug report. I will try and look at this one soon. |
@jeremylong Any updates on this ? |
This feature is useless.
In this example, I detect several problems :
I opened an issue on the drupal side : |
@obriat CVE-2022-24894 is still awaiting analysis at the NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-24894 ODC wouldn't report on this until the vulnerability is in a published state. |
ODC will identify the vulnerabilities in yii2 if the OSS Index Analyzer is enabled. |
jeremylong/DependencyCheck#1387 suggests there are false positives reported by dependency check
Reporting Bugs/Errors
I scan my project for vulnerable composer dependencies with DependencyCheck (Jenkins plugin or cli version) and some vulnerabilities are not detected.
Example
For example, I use yii2 (2.0.12). It have vulnerabilities:
CVE-2018-7269, CVE-2018-6009, CVE-2018-6010.
But I see in report "Vulnerable Dependencies: 0"
All databases are updated:
NVD CVE 2018: 18/07/2018 17:13:51
NVD CVE Checked: 18/07/2018 17:15:33
NVD CVE Modified: 18/07/2018 16:00:56
VersionCheckOn: 1531934133930
The text was updated successfully, but these errors were encountered: