When scanning a .Net project, the scan results will be very different depending on whether packages folder are included.

[julian-guo-avepoint]

Describe the bug
When using dependency-check to scan a .net framework project, the results are very different when the packages folder is included and is not included. Many vulnerabilities will be missed when the packages folder is included.

Version of dependency-check used
The problem occurs using version 11.1.1 of the cli.

Log file
The reports and logs of the two scans are here: report-and-log (2).zip

To Reproduce
Steps to reproduce the behavior:
I just scanned the project twice, the first time with the packages folder, the second time just the code project folder. Here are the commands I used.

The scanned report is very different, please check:

Here is my test code:
Test4DC.zip

Expected behavior
A clear and concise description of what you expected to happen.
Regardless of whether the packages folder is included, I think some vulnerabilities should be reported, such as the vulnerability with System.Text.Json:8.0.1.

Additional context
Thanks

[jeremylong]

Unless I'm misreading the issue - this is expected behavior based on how ODC works. If you include the packages folder you should get better results.

[julian-guo-avepoint]

Hi @jeremylong ,Thanks for your reply.
Please see the screenshot below. I changed the project name to distinguish whether it contains the packages folder.

When the Packages folder is included, more vulnerabilities will be scanned. But according to my understanding, it should be a containment relationship. But the result of the two scans is completely different. If so, are there some vulnerabilities that will be missed when including the packages folder?

Thanks