The dependency-check-jenkins-plugin is mistakenly identifying the project being scanned and reporting a vulnerability based on the incorrect identification. When scanning a JAR built by Maven, it ids a project named "Shadow Test" as "shadow" and includes vulnerabilities from shadow in the report for Shadow Test. When scanning during a Maven build with the dependency-check-maven plugin, the vulnerability is not reported.
I do not expect a vulnerability in either report. This false positive seemed worth reporting since I would expect the same result from either scan.
Attached are:
- The Maven pom (pom.xml)
- The Maven scan report (dependency-check-report.html)
- The JAR built by Maven (ST-1.0.0-SNAPSHOT.jar)
- The Jenkins scan report of the attached JAR built by Maven (dependencycheck-unaudited-warnings.xml)
Perhaps spaces in project names aren't handled properly in the Jenkins plugin?