You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Issue details
Newtonsoft.JSON is not getting detected under the evidence section in the ODC html vulnerability report with the --hints option enabled when running the tool.
Hi Jeremy, the issue is Newtonsoft.Json package is not getting detected under Dependencies (all) section and hence no evidence section populated for the same.
The assembly analyzer requires that you scan the DLLs - not the project files. Have you run something like dotnet publish prior to running dependency-check?
Issue details
Newtonsoft.JSON is not getting detected under the evidence section in the ODC html vulnerability report with the --hints option enabled when running the tool.
we have Newtonsoft.Json package with version 9.0.1 in the project.assets.json file which is vulnerable to CVE https://nvd.nist.gov/vuln/detail/CVE-2024-21907
Please find attached screenshots related to command run with the --hints file.
The hints file used has an entry to Newtonsoft.Json as a fix from issue #6789
Version of dependency-check used
Dependency-Check Core version 10.0.4
While running the tool it also throws this warning -> [WARN] Unable to determine Package-URL identifiers for 1 dependencies
Let us know if you need any other info.
The text was updated successfully, but these errors were encountered: