log4net@1.2.10 & Telerik.Web.UI.dll@2020.3.1021.45 (.net packages) are not reported as vulnerable.

[shriharikalessnc]

Precondition

• I have checked the issues list for existing open or closed reports of the same problem.

Describe the bug
log4net@1.2.10 & Telerik.Web.UI.dll@2020.3.1021.45 are not reported as vulnerable. Ideally it should report it as vulnerable.

Version of dependency-check used
The problem occurs using version 12.1.9 of the cli (cli, gradle plugin, maven plugin, etc.)

To Reproduce
Steps to replicate:

checked attached zip with log4net.dll and Telerik.Web.UI.dll

ScanFolder.zip

2.download cli version 12.1.9
3 extract attached zip and scan it with cli - ".\bin\dependency-check.bat --format JSON --out $ReportFileName --scan $scan --ossIndexUsername $ossIndexUsername --ossIndexPassword $ossIndexPassword --nvdDatafeed $nvdDatafeed --nvdApiKey $nvdApiKey"
$scan - provide path of attached scan folder.
4. check attached generated report Folder_2025-11-28T231733.json,

Folder_2025-11-28T231733.json

log4net@1.2.10 & Telerik.Web.UI.dll@2020.3.1021.45 are not reported as vulnerable.

The said package Telerik.Web.UI.dll@2020.3.1021.45 have one CVE - ref - https://nvd.nist.gov/vuln/detail/cve-2025-3600
Hence it should be reported as vulnerable.

The said package log4net@1.2.10 have one CVE - ref - https://nvd.nist.gov/vuln/detail/CVE-2018-1285
Hence it should be reported as vulnerable.

Expected behavior
log4net@1.2.10 & Telerik.Web.UI.dll@2020.3.1021.45 should be reported as vulnerable with CVE details

[chadlwilson]

Can you please update the title of your issues to be more specific and accurate? I don’t even know what a TPL is in this context. Please also don’t combine multiple things into a single issue unless you know the root cause is the same.

Did you check the version numbers of the Telerik library to verify it is not the same problem I described in #8140?

[shriharikalessnc]

Can you please update the title of your issues to be more specific and accurate? I don’t even know what a TPL is in this context. Please also don’t combine multiple things into a single issue unless you know the root cause is the same.

Did you check the version numbers of the Telerik library to verify it is not the same problem I described in #8140?

I have updated title.
I have checked Telerik library, it is not same problem as described in #8140 . in Telerik library case file version and product version is same i.e 2020.3.1021.45.
It looks like root cause is same for these .net libraries hence mentioned both here so it will help to find out actual root cause.

[jeremylong]

I just downloaded the provided zip and ran the following commands:

./dependency-check.sh --updateonly --nvdApiKey [redacted]
./dependency-check.sh --scan ~/Downloads/ScanFolder

The resulting HTML report contains the vulnerabilities listed above.

dependency-check-report.html

[jeremylong]

If you are still having problems - consider purging your local database and recreating it.

[chadlwilson]

Ahh thanks - I hasn't had time to try this one yet.

[chadlwilson]

A key question might be what you are setting $nvdDatafeed to in your example above. Generally if you're setting the api key you wouldn't be overriding the url....?