Dependency scanning build job does not seem to look into transitive Maven dependencies
Summary
When doing a dependency scan for a project using Spring-Boot 1.5.8, it's expected to find the following transitive dependencies containing CVEs (some examples):
- spring-boot-starter-groovy-templates-1.5.8.RELEASE.jar (cpe:/a:pivotal_software:spring_boot:1.5.8, org.springframework.boot:spring-boot-starter-groovy-templates:1.5.8.RELEASE) : CVE-2017-8046, CVE-2018-1196
- spring-boot-starter-jdbc-1.5.8.RELEASE.jar (org.springframework.boot:spring-boot-starter-jdbc:1.5.8.RELEASE, cpe:/a:pivotal_software:spring_boot:1.5.8) : CVE-2017-8046, CVE-2018-1196
- spring-boot-starter-web-1.5.8.RELEASE.jar (org.springframework.boot:spring-boot-starter-web:1.5.8.RELEASE, cpe:/a:pivotal_software:spring_boot:1.5.8) : CVE-2017-8046, CVE-2018-1196
However, no transitive dependency with CVE is found.
Steps to reproduce
Build a Maven project using Spring-Boot 1.5.8 and use the AutoDevops feature.
Example Project
You can see the problem in this project/MR: kiview/damn-vulnerable-spring-boot-app!2
Spring-Boot has been downgraded to 1.5.8, which should introduce new CVEs into the project.
What is the current bug behavior?
No transitive dependencies with CVEs are listed.
What is the expected correct behavior?
List of transitive dependencies containing a CVE, which should contain the following (not necessarily 100% correct).
See the output of the OWASP Dependency Check plugin when run locally: dependency-check-report.html
Output of checks
This bug happens on GitLab.com
Possible fixes
OWASP Dependency Check seems to do a better job in this regard: https://www.owasp.org/index.php/OWASP_Dependency_Check