Dependencycheck: ACC 3.2.1's output is not sufficient

You will need to ask either the Apache project,as a maintainer of AAC, or NIST as the maintainer of the CVE list.

see also https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=commons+collections&search_type=all

Why should I? As said the perception of the user matters and I am a user of this tool and it doesn't show me anything related which seems dangerous.

PS: yes, I read the Apache blog.

All dependency-check attempts to do is link the identified dependencies to the data from the NVD. We are 100% reliant on the data provided by 3rd parties regarding vulnerability information. If you don't find the data valuable then please work with the NVD to improve the write-up.

I appreciate the project, believe me(!), but this is not a satisfying answer to me. Sounds like you pushing responsibilities to some place else instead.

How about some kind of an internal feed which includes such (rare and remarkable) cases so that a user gets a better picture?

PS: CVE-2015-7501 wasn't in there either

Yes I am pushing the responsibility of the data to another location. When I originally designed dependency-check one of the key tenets was that the project was not going to maintain a database mapping dependencies to CPE/CVE. We've gotten away from that a little with our hints and suppression files. Maintenance of an enhanced data-set is one of the things you will get with commercial offerings.

This project is 100% free, I do not make any money at all on this project - I am not a consultant, nor do I use this project at my day job. By creating an enhanced data-feed it adds an additional maintenance burden on the project that I feel is unacceptable.

Any updates to an enhanced data-feed would only benefit this project. However, if one were to contact the NVD suggesting updates to a vulnerability (I have and you can too - email them at [email protected]) you then benefit everyone that uses the NVD data including other OWASP projects like dependency-track.

Hi @jeremylong ,

first of all: I much appreciate this tool. I didn't want to cause frustration or appear unappreciative.. I can also follow your arguments regarding maintenance burden for free software as I have two own projects.

WRT to the technical point: of course I respect+accept that. It was just an idea for an interface, which can be used for those rare case, not meant for general additions.

I can try when I have little more space on my desk to contact NVD but I am afraid my leverage is small.

Cheers, Dirk

The people at the NVD are really good. What I would suggest is just take some snippets from the Apache blog that would be a good addition to the current write-up(s) and send them the actual updated text with a reference to the blog. That will get the fastest response.