I have performed a manual check of a few libs that we use in our software. One of them, spring-framework, is currently in version 4.0.3, while latest release is 4.3.2. Thus, I search the National Vunerability Database in order to find whether this old version was vulnerable (or not).
It appears there are 3 known vulnerabilities applying here : CVE-2015-3192, CVE-2014-3625, CVE-2014-3578
Then I built my project with OWASP's dependency-check-maven. Since they are also using NVD Database, I expected to have the same result. Though, It eventually returned no vulnerabilities.
Since I am still quite uneasy (and newbie!) with security matters, and especially 'false positive', I am wondering if those could be some, and thus are ignored by the plugin... or maybe if I am Wrong in my manual analysis... But moreover, I wanna share experience about this plugin :
Thanks in advance for your answers
Sorry for the delayed response - I normally don't monitor SO for questions on dependency-check. See my answer to a similar question on the dependency-check mailing list: https://groups.google.com/forum/#!topic/dependency-check/LjnemiZKeZQ
With this specific false negative it has to do with the NVD being unable to decide what the vendor name should be for Spring Framework. The NVD has at least three distinct identifiers for version 3.20:
This false negative has been resolved and the patch will be included in the 1.4.4 release (which should be published within a month). If you run into additional false positives or false negatives - please report them as issues in the github repo.
Regarding your question about reliability - I have not tested a tool that is 100% reliable. I view dependency-check as the minimum bar for Java applications.
--Jeremy