Newtonsoft.JSON not detected in the vulnerability report with --hints option enabled

[gururajsn]

Issue details
Newtonsoft.JSON is not getting detected under the evidence section in the ODC html vulnerability report with the --hints option enabled when running the tool.

we have Newtonsoft.Json package with version 9.0.1 in the project.assets.json file which is vulnerable to CVE https://nvd.nist.gov/vuln/detail/CVE-2024-21907

Please find attached screenshots related to command run with the --hints file.

The hints file used has an entry to Newtonsoft.Json as a fix from issue #6789

Version of dependency-check used
Dependency-Check Core version 10.0.4

While running the tool it also throws this warning -> [WARN] Unable to determine Package-URL identifiers for 1 dependencies

Let us know if you need any other info.

[jeremylong]

can you provide the Evidence section from the HTML report?

[gururajsn]

Hi Jeremy, the issue is Newtonsoft.Json package is not getting detected under Dependencies (all) section and hence no evidence section populated for the same.

[jeremylong]

The assembly analyzer requires that you scan the DLLs - not the project files. Have you run something like dotnet publish prior to running dependency-check?