Dependencycheck: Updating from 5.3.2 to 6.0.1 in angular project

Created on 18 Sep 2020  路  5Comments  路  Source: jeremylong/DependencyCheck

Hello,
if I update the Dependency-Check-Maven-Plugin from 5.3.2 to 6.0.1 without further changes in my configuration, the build is interrupted (as configured) while new vulnerabilities are found. That's okay, but in contrast to 5.3.2, where 2 vulnerabilities were found, version 6.0.1 now finds 2290 ... And that surprises me a little.

After looking around I set up a little demo project with just a pom.xml, a package.json and a owasp-exclude.xml. And it looks as the plugin now will find any vulnerabilty for the devDependencies in package.json

So the questions for is now:
Is there something I can do ?
Can I suppress the scanning of devDependencies (setting nodeAuditSkipDevDependencies to false true does not work)?

Runs executed on 18th of September 2020, at around 08:45CEST

  • run1: mvn clean verify produces 0 vulnerabilities
  • run2: mvn clean verify -Ddependency-check-maven.version=6.0.1 produces 2289 vulnerablities in 82 dependencies
  • run3: devDependencies removed from package.json mvn clean verify -Ddependency-check-maven.version=6.0.1 will produce again 0 vulnerabilities

The pom.xml (with plugin version 5.3.2), package.json and owasp-exclude.xml are attached as 03_demo.zip
03_demo.zip

The created reports of the three runs are attached as reports.zip
reports.zip

question
Source
picture NorthernKgalagadi
👍3

All 5 comments

We have the same "problem" over here in our projects using the CLI. Will follow this to see if it's a bug or if there is a workaround

s3nl picture s3nl on 22 Sep 2020

See #2482. Also - there are a number of FP that need to be cleaned up. I'll try to find some time soon to cull the list of reported FP.

jeremylong picture jeremylong on 24 Sep 2020

In addition - I believe I just fixed the issue with skipping dev dependencies via nodeAuditSkipDevDependencies. The patch will be in 6.0.2.

jeremylong picture jeremylong on 24 Sep 2020
👍1

it seems not really working: also with version 6.0.2 and <nodeAuditSkipDevDependencies>true</nodeAuditSkipDevDependencies> I still get more than 2200 vulnerabities for the attached demo project .... (exactly: 2268 vulnerabilities in 47 dependencies, which is only a little bit fewer than the original 2289 vulnerablities in 82 dependencies .... )

NorthernKgalagadi picture NorthernKgalagadi on 5 Oct 2020
👍1

Until I get time to cleanup the Node Analyzer - I would highly recommend just turning it off <nodeAnalyzerEnabled>false</nodeAnalyzerEnabled>. I have plans to enhance the node analysis - but it won't make it into the next release.

jeremylong picture jeremylong on 22 Oct 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

dwvisser picture dwvisser  路  4Comments
THausherr picture THausherr  路  3Comments
agisbert picture agisbert  路  4Comments
mikehalmamoj picture mikehalmamoj  路  4Comments
aravindparappil46 picture aravindparappil46  路  4Comments