Different CVEs reported when using different OWASP versions
vidgeus opened this issue · comments
Recreation steps:
in my project i use the following build.gradle:
buildscript {
repositories {
mavenCentral()
}
dependencies {
classpath 'org.owasp:dependency-check-gradle:8.2.1'
}
}
plugins {
id 'java'
}
apply plugin: 'org.owasp.dependencycheck'
group 'org.example'
version '1.0-SNAPSHOT'
sourceCompatibility = JavaVersion.VERSION_17
repositories {
mavenCentral()
}
dependencies {
implementation("org.springframework.boot:spring-boot-starter-actuator:3.0.6")
}
When I run the dependencyCheckAnalyze
gradle task I get the following vulnerability (just snakeyaml):
But when I change the OWASP version in the build.gradle
from 8.2.1
to 8.1.0
then I get different vulnerabilities (snakeyaml & jackson-core):
Notes:
I ran dependencyCheckPurge
& dependencyCheckUpdate
in both cases to ensure a "clean" recreation of the issue.
The problem:
why do different versions of OWASP yield different vulnerabilities? Isn't the vulnerability data source independent from the OWASP releases?
The data source is independent - but the evidence and identification is different when using the CLI vs a build plugin. We always recommend the use of a build plugin over the CLI (or docker image). This is expected behavior due to how dependency-check works.
@jeremylong My question is actually this one but reading the answer I believe it might be a confusion, in terms of the original question, the point is that two different versions of the same gradle plugin produce different results. I did not expect that CLI or gradle plugin could yield different results, but same gradle plugin, one 8.2.1
and the other 8.1.0
should yield the same results right?
Did you actually look at the "vulnerability" reported by 8.1.0? I bet it looks like a false positive.... Most version upgrades include some level of false positive reduction.
Thank you @jeremylong for the clarification I appreciate it, it looked a false positive indeed