Reputation: 736
OWASP dependency-check maven vs command line not same results
On a Maven project, I am running both the OWASP dependency-check-maven plugin as also the OWASP command line tool in order to generate a report with dependencies having vulnerabilities.
What I cannot understand, is how those two tools operate. In detail, I noticed that the Maven plugin (dependency-check-maven) , reports 45 vulnerable dependencies, while the command line tool 34.
For example, the Maven plugin reports the undertow-core-1.2.9.Final.jar (which is provided by the undertow-servlet dependency) as having a critical vulnerability, while with the command line check, this dependency does not appear at all in the list. I am running the command line tool with the following command:
dependency-check --project "myProject" --scan "C:\path\myProject" --disableRetireJS
Could it be that the command line tool scans for existing jar files in the projects directory while the Maven plugin goes through the defined dependency in the pom.xml?
Upvotes: 6
Views: 2220
Answers (1)
Reputation: 508
From https://github.com/jeremylong/DependencyCheck/issues/3729, the author of the plugin says:
"The report from the Maven plugin is likely the most accurate. With the CLI it is only scanning the build artifacts."
So, when you use dependency-check-maven plugin the pom.xml are used, while using the CLI only what is found in the target(s) is checked.
Upvotes: 4
Related Questions
- dependency-check for application code
- What to do when Owasp dependency finds vulnerabilities
- dependency-check-maven - suppression not working
- Resolving maven dependencies
- How to check maven dependency compatibility
- Display results of OWASP Dependency-Check Maven plugin in Jenkins
- "Using Maven 2 dependency tree to get verbose output, which may be inconsistent with actual Maven 3 resolution"
- OWASP Dependency Check determines wrong artifacts
- Maven plugin artifact filter unimportant dependencies
- getting information about maven dependencies