Percentage of undetected dependencies in the CVE reports - 8.0

Talend Software Development Life Cycle Best Practices Guide

Version
8.0
Language
English
Product
Talend Big Data
Talend Data Fabric
Talend Data Integration
Talend Data Management Platform
Talend Data Services Platform
Talend ESB
Talend MDM Platform
Module
Talend Administration Center
Talend Artifact Repository
Talend CommandLine
Talend JobServer
Talend Studio
Content
Administration and Monitoring
Deployment
Design and Development

The list of fixed Common Vulnerabilities and Exposures (CVEs), that you can generate while building, can only detect the official Maven dependencies with specific groupIds, artifacts and versions (GAVs).

Refer to the official Maven documentation for more details.

Therefore, the component dependencies with the Talend-specific groupIds org.talend.libraries, that are not part of the official Maven dependencies, are not reported in the generated CVE list.

The following table details the percentage of Talend dependencies in relation to the total Maven and Talend component dependencies per release.
Version Percentage of undetected Talend component dependencies
7.3.1 35%
7.3.1 latest 21%
8.0.1 10%
8.0.1 R2022-03 8%
8.0.1 R2022-07 8%

For example, this means that in version 7.3.1, the mvn org.talend.ci:builder-maven-plugin:8.0.X:detectCVE command does not detect 35% of all the component dependencies, against 8% for version 8.