OWASP dependency checker is not reporting vulnerabilities that VS.Net reports
We are using OWASP dependency check on a Jenkins build server to check for vulnerabilities in .Net solutions. For this, we installed the OWASP Dependency-Check on Jenkins. These checks run overnight, so I am alerted on vulnerabilities discovered in solutions we are not actively working on.
Recently, I opened a solution in VS.Net and VS.Net reported vulnerabilities. Jenkins had not reported these vulnerabilities in 3rd-party libraries. I thought I could expect the OWASP Dependency-Check to find these. Am I mistaken?
As a test, I created a simple .Net solution from template ASP.NET Core Web App (Model-View-Controller) and added the NuGet-package Microsoft.Data.SqlClient version 5.1.1 (Vulerable, Deprecated). Immediately, VS.Net reports a vulnerability CVE-2024-0056.
Then I ran the OWASP command line tool on the solution, but no vulnerabilities were reported. The database was updated. Also, I made sure all packages were restored in the solution (not sure if this is required).
