Issue
I have a build.gradle
file with the following plugins and dependencies
plugins {
...
id 'org.owasp.dependencycheck' version '7.3.0',
...
}
ext {
...
okHttpVersion = '4.9.3'
...
}
repositories {
mavenCentral()
}
dependencies {
implementation(
...
//misc
'org.testcontainers:junit-jupiter:1.16.3',
'org.everit.json:org.everit.json.schema:1.5.1',
'com.github.therapi:therapi-runtime-javadoc:0.13.0',
'org.apache.commons:commons-text:1.9.0', //this is the vulnerability
"com.squareup.okhttp3:okhttp:$okHttpVersion",
"com.squareup.okhttp3:mockwebserver:$okHttpVersion",
...
)
...
}
When I run ./gradlew dependencyCheckAnalyze
in the report I cannot see the anything about 'org.apache.commons:commons-text:1.9.0'
I have tried to execute ./gradlew dependencyCheckPurge
then ./gradlew dependencyCheckUpadte
followd by ./gradlew dependencyCheckAnalyze
, however the report outputs are same
Solution
For some reason the plugin did not recognise MAJOR.MINOR.PATCH pattern, rather MAJOR.MINOR. Therefore 1.9.0
was not visible
On top of it in maven repository there are no 1.9.0
anymore
Putting 1.9
fixed the report results
However I reckon it is plugin issue
UPDATED 07.11.2022
:
1.9.0
never existed
Answered By - talgat-aitchanov
Answer Checked By - Marie Seifert (JavaFixing Admin)