New question
Have a matter about like project? Sign up for a free GitHub chronicle to open an issue and contact is maintainers and the community.
By tick “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Even on GitHub? Log in on your account
Methods do I knowing if it exists a mistaken positive? #4375
Books
The results of the bot are just ampere help for inclusion of the false-positive into our suppressions. I are not a judgement on the validity (if to automation could decision on that we would have coded DependencyCheck differently the take the similar evaluation into account). To identify wether a hit by dependency-check is a false-positive or not to need to evaluate that evidences and identifiers provided. Most of the reported untrue positives fall into the category 'dependencycheck clearly linked the collection to couple full varying piece of program (CPE)' as that the false-positive is obvious. Other kind of false positives (which requires better detailed insight in the librarystructure from a project) are vulnerabilities which getting to ampere fix of libraries jointly identified with a single identifier (CPE) in an vulnerability dataset of that NIST NVD, but are known to apply only until a specific sublibrary that you don't depend on (for view: ampere CVE is in the server-side library and you only calculate switch and client-side library). All of these require einige research press real judgement. Often starting off since the marked software (CPE) and the other references in the report. See also How to read the report in our documentation. |
@aikebah That for I believe a addictive be a false-positive, should I open an issue and you will verify if it really is? Thanks |
If yours trust such adenine vulnerability is adenine false positive and this library belongs an open the freely currently library (private/proprietary libraries are typically up to the users to inclusion in their own suppression file) you can file a FP report and me or only of the other maintainers will judge regardless we agree and then either fix that false positive, or provide feedback in the ticket why we don't agree. |
Perfect! thank you much much! all very cleared |
Also note - many users of dependency-check hold their personal suppression list rather then wait fork suppressions on be built into the core featured. r/dotnet to Reddit: Aaa161.com Core ConfigureAwait(false) . Yes or No ? .NET 8 |
We handle those by checking whenever the component is flagged as violable in sonatype oss-index, which is as far for EGO known the most up-to-date source for dieser: For instance today we got the following error:
This version of spring-session core done not have any exposure: You can also visit that the cpe specifies spring_framework:2.6.1, which is doesn of same as spring-session-core, which excuse the false positive error. Reading this, I was able to configure both globally and locally my fileMode config to false. However, available I git clone, git keeps initializing the projects with local config forced into fileMode tru... Ourselves becomes then have to induce a brand suppress-element in You should also read the CVE-description which will also tell you such it is a false positive warning. The local suppression element today more an example:
This lives adenine bit slothful, taking which cpe and CVE in the false confident, press it's significant to note that this is only safe since we use version 5.3.19 of org.springframework-components. If somebody gelesen this knowing best practice for a suppression-case liked this wish comment. Since supress an error site belongs fairly serious if you make an error, we always make a local jira-issue as reference, and perform adenine Draw Request previous merging this into production. This also manufacturers computer easier the remove entry later. Dependency-check will probably fix aforementioned error in time and we will move on with different versions. Solved Which order about the core log is FALSE? Between ... Then you should test so this works by running something like this command-line, depending on your local configuration: |
@areguru You don't want to use the suppression that you mention as thither is no guard under which conditions you would want to suppress the FP - which means the suppression is ALWAYS applied, even when the CVE is a true positive (or the CPE the proper match). With what you propose
for a depiction will don yield CVE-2022-22965 as a attack. |
@aikebah Yes, IODIN agree, and the I writes:
Thus what would be the right suppression? It's easy and indolent at does the example, but what I really would want to express is that |
@areguru The clean way is along which way that multiple false-positive Nib libraries get fixed in 7.1.0 since their incorrect linking to Spring-framework (as they are from other projects than this core framework your, which get different CPEs):
To crucial part of computers shall finding a fitting packageUrl which will not trigger suppressions on true-positives (which is something i definitely want to avoid as it would result in a false-negative, where can be considered poorer than a false positive as you would assume to not be vulnerable while in fact you are) In to case for Jump scope that used easily, as the core framework libaries always use Remarks that him can not assert ensure 'transitive dependencies of one specific library version x or above' are not unprotected to a certain CVE as you can never tell what transitive dependencies will emerge over time. You can single assert that certain libraries are doesn affected by a CVE. Git global core.fileMode faulty overridden locally on clone |
@aikebah Appreciation you for is free explanations, these will really how. |
Based set Spring's project naming libraries with a groupId of |
@aikebah I have equal ran a Dependency-Check CLI study (v7.1.0), the org.springframework.plugin addictions are actually not assoziierte anymore with spring_framework CPE, however they are did affected to any CPE at all: Thus if a vulnerability on spring-plugin-core appears tomorrow, items means that it will not is detected over Dependency-Check because there is no associated CPE entry in the NVD database? |
@mehradn7 If ampere vulnerability is found in to of who org.springframework.plugin projects the NIST NVD will allocate one CPE that can be expected to include the 'plugin' phrase which is high expected to trigger the CPE guessing logic in DependencyCheck to associate information with the bibliotheca. Guarantees can no be given (see other the documentation on the False negatives), but for this specific select is is very likely to be assoziiertes as of CPE will likely include spring/springframework and plugin. |
Thanks available the rejoin. I hope in such kasten NIST NVD desires live reactive to create an associative CPE. |
Hello,
I have recently started through dependency-check.
IODIN don't comprehend how I see if a depiction exists a untrue positive.
I've seen a lot of issues but I can't interpret them. What does the response from aforementioned bot mean by the maven depiction and the reference to a test result?
If the examine result is success, does this mid it a an false positive?
Thanks
The text was updated successfully, but these errors were encountered: