I am logging this as a "New Feature" based on the guide presented on the jenkins.io site, but feel free to move it as appropriate.  I've also worded it as a question, because I am happy with the conclusion of this Jira being an answer of "No".  It's more that I want to understand if the functionality is working as intended.

Currently, the dependency-check-jenkins-plugin supports RiskGate thresholds to make the build unstable or failed based on total findings and new findings.  However, it appears in practice that the new findings are strictly based on the previous build, regardless of the status.  Meaning that if a build fails because of the new findings threshold, then a subsequent build passes.

This seems undesirable from a functionality perspective.  I would think one would expect the new findings threshold to be based on the last successful build.  This would ensure that the behavior is consistent assuming the same previous successful build.

However, it could be that the intention is to always use the previous build even if it was failed which is why I wanted to ask the question.

I didn't see any previous Jira issues discussing if this was intended or not.  I observed this behavior in practice, and it also seems to be behaving as coded looking at this line (which returns the previous build regardless of status):

https://github.com/jenkinsci/dependency-check-plugin/blob/master/src/main/java/org/jenkinsci/plugins/DependencyCheck/DependencyCheckPublisher.java#L173

So unless I've configured something incorrectly or used it wrong, it does appear that the current behavior is to check the previous (any status) build.  Any thoughts on this would be appreciated.  Thank you.