Description: I am experiencing an issue where Jenkins reports the presence of a vulnerable library godoes/gorm-oracle@1.6.11, but this version does not exist in my project.
Details:
- Jenkins scan flags godoes/gorm-oracle@1.6.11 as vulnerable.
- The specified version is not found in the reported path within the project.
- It is not listed in go.mod or go.sum.
- A manual search through the repository does not return any reference to this library version.
What I Have Tried:
- Verified go.mod and go.sum to ensure the dependency is not explicitly declared.
- Searched the entire project for references to gorm-oracle@1.6.11.
- Checked for any indirect dependencies that may be introducing this library version.
Questions:
- Has anyone else encountered false positives in Jenkins dependency scans?
- Could this be a caching issue in Jenkins or a misinterpretation of transitive dependencies?
- What additional debugging steps should I take to trace where Jenkins is detecting this library?
Any insights or recommendations would be greatly appreciated!