Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-47845

Project Misidentification Leads False Positive in Vulnerability Report

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Fix
    • Icon: Minor Minor
    • dependency-check-jenkins-plugin
    • None

      The dependency-check-jenkins-plugin is mistakenly identifying the project being scanned and reporting a vulnerability based on the incorrect identification. When scanning a JAR built by Maven, it ids a project named "Shadow Test" as "shadow" and includes vulnerabilities from shadow in the report for Shadow Test. When scanning during a Maven build with the dependency-check-maven plugin, the vulnerability is not reported.

      I do not expect a vulnerability in either report. This false positive seemed worth reporting since I would expect the same result from either scan.

      Attached are:

      • The Maven pom (pom.xml)
      • The Maven scan report (dependency-check-report.html)
      • The JAR built by Maven (ST-1.0.0-SNAPSHOT.jar)
      • The Jenkins scan report of the attached JAR built by Maven (dependencycheck-unaudited-warnings.xml)

      Perhaps spaces in project names aren't handled properly in the Jenkins plugin?

        1. ST-1.0.0-SNAPSHOT.jar
          1 kB
        2. pom.xml
          0.7 kB
        3. dependencycheck-unaudited-warnings.xml
          4 kB
        4. dependency-check-report.html
          129 kB

            Unassigned Unassigned
            mcresswell Michael Cresswell
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: