I have a build.gradle file with the following plugins and dependencies
plugins {
...
id 'org.owasp.dependencycheck' version '7.3.0',
...
}
ext {
...
okHttpVersion = '4.9.3'
...
}
repositories {
mavenCentral()
}
dependencies {
implementation(
...
//misc
'org.testcontainers:junit-jupiter:1.16.3',
'org.everit.json:org.everit.json.schema:1.5.1',
'com.github.therapi:therapi-runtime-javadoc:0.13.0',
'org.apache.commons:commons-text:1.9.0', //this is the vulnerability
"com.squareup.okhttp3:okhttp:$okHttpVersion",
"com.squareup.okhttp3:mockwebserver:$okHttpVersion",
...
)
...
}
When I run ./gradlew dependencyCheckAnalyze in the report I cannot see the anything about 'org.apache.commons:commons-text:1.9.0'
I have tried to execute ./gradlew dependencyCheckPurge then ./gradlew dependencyCheckUpadte followd by ./gradlew dependencyCheckAnalyze, however the report outputs are same
For some reason the plugin did not recognise MAJOR.MINOR.PATCH pattern, rather MAJOR.MINOR. Therefore 1.9.0 was not visible
On top of it in maven repository there are no 1.9.0 anymore
Putting 1.9 fixed the report results
However I reckon it is plugin issue
UPDATED 07.11.2022:
1.9.0 never existed