OWASP Dependency Check determines wrong artifacts

Question

I'm using the Maven Plugin of the OWASP Dependency Check in a multimodule project.

There is a Module with the artifactId "links" and another (I will call it "war") module with a dependency on this module. Both have the groupId "de.mygroup".

When I now run mvn dependency-check-maven:check I get the following warning:

links-5.0.0-SNAPSHOT.jar (cpe:/a:hot_links:hot_links:5.0.0, cpe:/a:links:links:5.0.0, de.mygroup:links:5.0.0-SNAPSHOT) : CVE-2006-7086

As I understood this warning, this is a false positive because the dependency check only looks for the artifactId regardless groupId. Is this correct?

Is there anything I can do to tell the plugin which one I'm using? But I think it should determine this automatically.

I've looked inside the source code of the maven plugin and in BaseDependencyCheckMojo.java:652 I've found dependencyNode.getArtifact().getId() But this should return the full quallified coordinates of the artifacts. So I don't understand why it found multiple "candidates" which it then uses to search for vulnerabilities.

Any suggestions?

---

EDIT: I've just tested with the current master from GitHub because I've seen that there are some changes in the determination of the dependencies. The Warning above is gone now. But I have a third module with the artifactId "indesign" (and the groupId "de.mygroup") and for this I get this warning:

indesign-5.0.0-SNAPSHOT.jar (cpe:/a:adobe:indesign:5.0.0, de.mygroup:indesign:5.0.0-SNAPSHOT) : CVE-2006-0525

I think this is the same problem but I don't understand why the first warning is gone and the second one is still there.

Answer 1

This question was answered on the project's github issues list (see issue #550).