Reporting Bugs/Errors

When reporting errors, 99% of the time log file output is required. Please post the log file as a gist and provide a link in the new issue.

Also please have a look at the docs of the core dependency-check library to understand how the library works before you report a bug:

• How does dependency-check work?
• How to read the report
• Suppressing False Positives

Reporting False Positives/Negatives

As sbt-dependency-check is just a wrapper for SBT around the awesome core dependency-check
project please report false positives/negatives issues there.

Hi, we are running the dependencyCheck plugin for sbt, and having seen the warning about the availability of dependency check 4.0.0, updated the plugin to version 0.2.9. We re ran dependencyCheck, and noticed in the generated html report, the version listed was "dependency-check version: 3.3.4". Is this correct? Thanks for the great tool!!

Hi @london-coder, sbt-dependecy-check doesn't follow the versions of dependency-check-core releases which is the base library that we use to scan artifacts.
The latest release of sbt-dependency-check indeed uses dependency-check 3.3.4. I haven't released a new version yet for 4.0.0 as it has issues with reporting way more false positives than before due to a Lucene update.
I'm waiting for a 4.0.1 release to address the issues first before releasing a new version.