We tried putting a few entries in pom.xml which have known vulnerabilities, but Github shows alerts for only a few of them. For e.g., Commons Collections 3.2.1 has a known vulnerability. But the alert is not shown for this.
Please advise if the alerts are for selective jars or it covers all CVE vulnerabilities.
In all the sources used to track vulnerabilities, there are some vulnerabilities which are not getting caught. And those vulnerabilities have been mentioned in the MITRE CVE tool. Is there some automated way to ensure that all reported vulnerabilities are caught? Or another option is to manually check all of the jars files one by one.
For e.g. activemq-all(v5.7.0) and commons-collections(v3.2.1) have known vulnerability issues, but it doesn’t give alerts for these jars.