Bram comments

Repositories
Issues
Comments

Results 3 comments of


                                            Bram

false positive still an issue in v6.5.0 ODC

As I understand, matching java jars to NVD Vulns. is done by matching the CPE entries to package names, manifest file and pom.xml. Apparently this results in fuzzy matching with...

false positive still an issue in v6.5.0 ODC

Another example of something that could be improved: we currently use the latest [Spring-Boot Security](https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-security) (direct) dependency, which OWASP Dep.Check flags as vulnerable for [CVE-2022-22976](https://nvd.nist.gov/vuln/detail/CVE-2022-22976), which resides in spring-security-web and...

Better support for transitive deps in Maven/Java (pom.xml)

I can't find any documentation on the Maven integration for the scanner. Can anyone point me to it? Or is current "Maven"-support limited to letting the command-line tool read pom.xml...