Java Dependency Scanning not finding Vulnerabilities
Summary
Java Dependency Scanning not finding any issues where other tools, such as Snyk and OWASP Dependency Check Maven plugin, find several.
Steps to reproduce
Use Auto DevOps on a project with a known vulnerability (e.g. io.undertow:undertow-core@2.0.17.Final
).
Example Project
https://gitlab.com/dansiviter/websocket-speedtest/pipelines/43649835/security
What is the current bug behavior?
No vulnerabilities found.
What is the expected correct behaviour?
Snyk finds two vulnerabilities:
OWASP Dependency Check finds 10 vulnerabilities:
- CVE-2013-0169
- CVE-2018-1000873
- CVE-2018-14718
- CVE-2018-14719
- CVE-2018-14720
- CVE-2018-14721
- CVE-2018-19360
- CVE-2018-19361
- CVE-2018-19362
- CVE-2018-7489
Why OWASP and Snyk is different is a whole different question, but Dependency Scanning should find some/all of those.
Relevant logs and/or screenshots
(Paste any relevant logs - please use code blocks (```) to format console output, logs, and code as it's very hard to read otherwise.)
Output of checks
This bug happens on GitLab.com
Possible fixes
Unknown
Edited by Dan Siviter