OWASP dependency checker found an issue in the snakeyaml library version 1.3. Since this was included in the project as a transitive dependency of spring-boot-starter which is also automatically included as a dependency of spring-boot library. So, I forced version 2.0 of snakeyaml in the build.gradle file.
configurations {
all {
resolutionStrategy {
force 'org.yaml:snakeyaml:2.0'
}
}
}
Now, I can see in the external library list, snakeyaml version 2.0 is present. But after running the dependency checker again, I can see it's reporting snakeyaml 1.3 version again, but from the gradle cache location.
I removed the cache, but reloading gradle reinstates the older version along with version 2.3.
Q1. Is there any way we can configure OWASP dependency checker not to omit the libraries in the cache, only look for used libraries? Q2. Is there any other way to handle the situation?