Gradle owasp plugin does not see CVE-2022-42889

Question

I have a build.gradle file with the following plugins and dependencies

plugins {
    ...
    id 'org.owasp.dependencycheck' version '7.3.0',
    ...
}

ext {
    ...
    okHttpVersion = '4.9.3'
    ...
}

repositories {
    mavenCentral()
}

dependencies {
    implementation(
            ...
            //misc
            'org.testcontainers:junit-jupiter:1.16.3',
            'org.everit.json:org.everit.json.schema:1.5.1',
            'com.github.therapi:therapi-runtime-javadoc:0.13.0',
            'org.apache.commons:commons-text:1.9.0',  //this is the vulnerability
            "com.squareup.okhttp3:okhttp:$okHttpVersion",
            "com.squareup.okhttp3:mockwebserver:$okHttpVersion",
            ...
    )
    ...
}

When I run ./gradlew dependencyCheckAnalyze in the report I cannot see the anything about 'org.apache.commons:commons-text:1.9.0'

I have tried to execute ./gradlew dependencyCheckPurge then ./gradlew dependencyCheckUpadte followd by ./gradlew dependencyCheckAnalyze, however the report outputs are same

Answer 1

For some reason the plugin did not recognise MAJOR.MINOR.PATCH pattern, rather MAJOR.MINOR. Therefore 1.9.0 was not visible On top of it in maven repository there are no 1.9.0 anymore

Putting 1.9 fixed the report results

However I reckon it is plugin issue

UPDATED 07.11.2022:

1.9.0 never existed