6

On a Maven project, I am running both the OWASP dependency-check-maven plugin as also the OWASP command line tool in order to generate a report with dependencies having vulnerabilities.

What I cannot understand, is how those two tools operate. In detail, I noticed that the Maven plugin (dependency-check-maven) , reports 45 vulnerable dependencies, while the command line tool 34.

For example, the Maven plugin reports the undertow-core-1.2.9.Final.jar (which is provided by the undertow-servlet dependency) as having a critical vulnerability, while with the command line check, this dependency does not appear at all in the list. I am running the command line tool with the following command:

dependency-check --project "myProject" --scan "C:\path\myProject" --disableRetireJS

Could it be that the command line tool scans for existing jar files in the projects directory while the Maven plugin goes through the defined dependency in the pom.xml?

Lii
  • 11,553
  • 8
  • 64
  • 88
Stephan
  • 696
  • 15
  • 37

1 Answers1

4

From https://github.com/jeremylong/DependencyCheck/issues/3729, the author of the plugin says:

"The report from the Maven plugin is likely the most accurate. With the CLI it is only scanning the build artifacts."

So, when you use dependency-check-maven plugin the pom.xml are used, while using the CLI only what is found in the target(s) is checked.

Jhack
  • 510
  • 1
  • 6
  • 20