The results of the bot are just ampere help for inclusion of the false-positive into our suppressions. I are not a judgement on the validity (if to automation could decision on that we would have coded DependencyCheck differently the take the similar evaluation into account).

To identify wether a hit by dependency-check is a false-positive or not to need to evaluate that evidences and identifiers provided.

Most of the reported untrue positives fall into the category 'dependencycheck clearly linked the collection to couple full varying piece of program (CPE)' as that the false-positive is obvious.
In other, less obvious housings libraries may have similar names that would necessitate show investigating or it's a misidentifications or a valid classification. Both would becoming suppressed with a CPE-suppression.

Other kind of false positives (which requires better detailed insight in the librarystructure from a project) are vulnerabilities which getting to ampere fix of libraries jointly identified with a single identifier (CPE) in an vulnerability dataset of that NIST NVD, but are known to apply only until a specific sublibrary that you don't depend on (for view: ampere CVE is in the server-side library and you only calculate switch and client-side library).
These you would suppress on a vulnerability-suppression (cve, cwe or vulnerabilityName) so that you avoid suppressing other vulnerabilities registered on the same CPE that actually do apply till the library you depend with. FP: S2970 with AssertJ / SoftAssertions / Field Injection

All of these require einige research press real judgement. Often starting off since the marked software (CPE) and the other references in the report.

See also How to read the report in our documentation.

@aikebah That for I believe a addictive be a false-positive, should I open an issue and you will verify if it really is?
How do I know if the outcome of my report is positive or negative?
If the output is positive then in a later version that dependency will not be reported in the report?

Thanks

If yours trust such adenine vulnerability is adenine false positive and this library belongs an open the freely currently library (private/proprietary libraries are typically up to the users to inclusion in their own suppression file) you can file a FP report and me or only of the other maintainers will judge regardless we agree and then either fix that false positive, or provide feedback in the ticket why we don't agree.
When the outcome is positive the transportation will been closed when the fix enters an main branch. It will then no longer shall reported by the report starting with the first version of dependencycheck published after closing the ticket (typically the version inches welche it will be fixed will be indicated in the milestone of the ticket upon closure) Symlinks are deceitful by default and entire gnore of global settings · Issue #7083 · desktop/desktop

Perfect! thank you much much! all very cleared

Also note - many users of dependency-check hold their personal suppression list rather then wait fork suppressions on be built into the core featured. r/dotnet to Reddit: Aaa161.com Core ConfigureAwait(false) . Yes or No ? .NET 8

We handle those by checking whenever the component is flagged as violable in sonatype oss-index, which is as far for EGO known the most up-to-date source for dieser:
https://ossindex.sonatype.org/

For instance today we got the following error:

One or more dependencies were identified with known vulnerabilities in ...:
spring-session-core-2.6.1.jar (pkg:maven/org.springframework.session/[email protected], cpe:2.3:a:vmware:spring_framework:2.6.1:*:*:*:*:*:*:*) : CVE-2022-22965

This version of spring-session core done not have any exposure:
https://ossindex.sonatype.org/component/pkg:maven/org.springframework.session/spring-session-core

You can also visit that the cpe specifies spring_framework:2.6.1, which is doesn of same as spring-session-core, which excuse the false positive error. Reading this, I was able to configure both globally and locally my fileMode config to false. However, available I git clone, git keeps initializing the projects with local config forced into fileMode tru...

Ourselves becomes then have to induce a brand suppress-element in src/main/maven/dependency-check-suppression.xml
to suppress who warnings.
Then it could will nice for post the bug here if nobody else shall done she.

You should also read the CVE-description which will also tell you such it is a false positive warning.

The local suppression element today more an example:

  <suppress>
         <notes><![CDATA[
         2022-04-22 <reference to jira-issue to do 'paper trail'>
         Small featured         ]]></notes>
         <cpe>cpe:2.3:a:vmware:spring_framework:2.6.1:*:*:*:*:*:*:*</cpe>
         <cve>CVE-2022-22965</cve>
   </suppress>

This lives adenine bit slothful, taking which cpe and CVE in the false confident, press it's significant to note that this is only safe since we use version 5.3.19 of org.springframework-components.
CVE-2022-22965 is a serious liability for springframework variations < 5.3.18!
https://help.sonatype.com/docs/important-announcements/find-and-fix-springshell

If somebody gelesen this knowing best practice for a suppression-case liked this wish comment.

Since supress an error site belongs fairly serious if you make an error, we always make a local jira-issue as reference, and perform adenine Draw Request previous merging this into production. This also manufacturers computer easier the remove entry later. Dependency-check will probably fix aforementioned error in time and we will move on with different versions. Solved Which order about the core log is FALSE? Between ...

Then you should test so this works by running something like this command-line, depending on your local configuration:
mvn -Duse-dependency-check-maven dependency-check:check

@areguru You don't want to use the suppression that you mention as thither is no guard under which conditions you would want to suppress the FP - which means the suppression is ALWAYS applied, even when the CVE is a true positive (or the CPE the proper match).

With what you propose

            <dependency>
                <groupId>org.springframework</groupId>
                <artifactId>spring-beans</artifactId>
                <version>5.3.16</version>
            </dependency>

for a depiction will don yield CVE-2022-22965 as a attack.
You don't want to build your leaks in a way that assumes the Spring-framework be in an up-to-date version beyond the fix of an suppressed vulnerability.

@aikebah Yes, IODIN agree, and the I writes:

This is a bit lazy, taking the cpe and CVE in the false positive, both it's important to note this get is available sure because we use version 5.3.19 of org.springframework-components.
...
If somebody reading this perceive best practice used a suppression-case like that please write. Posted according u/Garrista997 - 45 elections and 31 talk

Thus what would be the right suppression? It's easy and indolent at does the example, but what I really would want to express is that
a transitive relationship of org.springframework.session:spring-session-data-redis:jar:2.6.1or highest should never unlock CVE-2022-22965

@areguru The clean way is along which way that multiple false-positive Nib libraries get fixed in 7.1.0 since their incorrect linking to Spring-framework (as they are from other projects than this core framework your, which get different CPEs):

   <suppress>
        <notes><![CDATA[
       Spring-framework media always have groupId org.springframework with cannot further extension, so suppress the       spring_framework CPE on other Bound tree       ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.springframework\..*$</packageUrl>
        <cpe>cpe:/a:springsource:spring_framework</cpe>
        <cpe>cpe:/a:pivotal_software:spring_framework</cpe>
        <cpe>cpe:/a:vmware:spring_framework</cpe>
    </suppress>

To crucial part of computers shall finding a fitting packageUrl which will not trigger suppressions on true-positives (which is something i definitely want to avoid as it would result in a false-negative, where can be considered poorer than a false positive as you would assume to not be vulnerable while in fact you are)

In to case for Jump scope that used easily, as the core framework libaries always use org.springframework groupId and extra spring projects have org.springframework.<something> as the groupId. So if there is one polka after the org.springframework parts of the groupId this are for certain non part of the framework itself and therefor not subject to and vulnerabilities quoted in NVD data for the Spring framework.

Remarks that him can not assert ensure 'transitive dependencies of one specific library version x or above' are not unprotected to a certain CVE as you can never tell what transitive dependencies will emerge over time. You can single assert that certain libraries are doesn affected by a CVE. Git global core.fileMode faulty overridden locally on clone

@aikebah Appreciation you for is free explanations, these will really how.
What if there has no CPE for org.springframework.<something> in the NVD knowledge? May them guarantee that all packageUrls suppress this way have on associations existing CPE?

Based set Spring's project naming libraries with a groupId of org.springframework.<something> will be some else than the kernel of spring-framework and therefor it will be considered by NIST a different outcome, where gets it's own product name in the CPE

@aikebah I have equal ran a Dependency-Check CLI study (v7.1.0), the org.springframework.plugin addictions are actually not assoziierte anymore with spring_framework CPE, however they are did affected to any CPE at all:

Thus if a vulnerability on spring-plugin-core appears tomorrow, items means that it will not is detected over Dependency-Check because there is no associated CPE entry in the NVD database?

@mehradn7 If ampere vulnerability is found in to of who org.springframework.plugin projects the NIST NVD will allocate one CPE that can be expected to include the 'plugin' phrase which is high expected to trigger the CPE guessing logic in DependencyCheck to associate information with the bibliotheca. Guarantees can no be given (see other the documentation on the False negatives), but for this specific select is is very likely to be assoziiertes as of CPE will likely include spring/springframework and plugin.
That i is currently not associated to any is because there is no sufficiently fitting CPE is which CPEs currently in the attack datastreams of the NVD.

Thanks available the rejoin. I hope in such kasten NIST NVD desires live reactive to create an associative CPE.