DependencyCheck: Several false positives with version 4.0.1

This is a continued issue of #1580 with version 4.0.1 Even though the number of false positives has reduced, there are still several false positives left, e.g.:

javax.annotation-api-1.2.jar: ids:(cpe:/a:oracle:glassfish:1.2, javax.annotation:javax.annotation-api:1.2) : CVE-2013-2566, CVE-2015-2808
jersey-apache-client4-1.19.1.jar: ids:(cpe:/a:oracle:oracle_client:1.19.1, com.sun.jersey.contribs:jersey-apache-client4:1.19.1) : CVE-2006-0550

Simply incrementing the filter score to 30 is no proper solution. You will end up with several more false positives with the new version in contrast to version 3.3.4 (as you can already see by the list of created issues in the recent days). And even more important: As the score of searches can’t be predicted in any way (it might be 5 or one million), you might even end up with false negatives, which would be even more worse.

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Comments: 16 (7 by maintainers)

Most upvoted comments

@jeremylong I’m using dependency-check for about a year now and I really appreciate the work on this project. I’m familiar with the solution to suppress false positives and that they may appear. Nevertheless my feeling is that with the current solution (after updating the Lucene version and adapting the filter score) the situation worsened by a factor X (in both ways: false positives and false negatives) and I’m wondering whether there is a better solution to this. I’ve thought about it in the last couples of days and I’m wondering whether it’s possible to kind of “disable” the breaking build for identifiers with a “low” confidence, because at least to me the false positives only happened for these. So instead of breaking the build for all vulnerabilities, it should only print a warning for those with a “low confidence”. What do you think about that? Do you have “real world” situations, where only the low confidence identities match the real vulnerabilities? I think I will try that solution with a patch and get back at you with the results once I’m done.

+1
GFriedrich on Dec 26, 2018
Read more comments on GitHub
← DependencyCheck: RetireJS analyzer broken
DependencyCheck: Stack overflow after upgrading to dependency-check 8.0.0 →