Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

When scanning a .Net project, the scan results will be very different depending on whether packages folder are included. #7263

Open
julian-guo-avepoint opened this issue Dec 19, 2024 · 0 comments
Labels

Comments

@julian-guo-avepoint
Copy link

julian-guo-avepoint commented Dec 19, 2024

Describe the bug
When using dependency-check to scan a .net framework project, the results are very different when the packages folder is included and when the packages folder is not included. Many vulnerabilities will be missed when the packages folder is included.

Version of dependency-check used
The problem occurs using version 11.1.1 of the cli.

Log file
The reports and logs of the two scans are here: report-and-log (2).zip

To Reproduce
Steps to reproduce the behavior:
I just scanned the project twice, the first time with the packages folder, the second time just the code project folder. Here are the commands I used.
WXWorkCapture_17345873706533
WXWorkCapture_17345874133349
Here is my test code:
Test4DC.zip

Expected behavior
A clear and concise description of what you expected to happen.
Regardless of whether the packages folder is included, I think some vulnerabilities should be reported, such as the vulnerability with System.Text.Json:8.0.1.

Additional context
Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant