Dependencycheck: More false positives since DC 2.1.1

One of my projects got false positives for CVE-2016-0749 after upgrading from 2.1.0 to 2.1.1:

[ERROR] lombok-1.16.18.jar: CVE-2016-0749
[ERROR] plexus-build-api-0.0.7.jar: CVE-2016-0749

Looks like CVE-2015-2808 and CVE-2013-2566 are also reported for javax.servlet-api-3.1.0.jar.

I note that the output for the JavaMail JAR indicates that the dependency checker thinks it's associated with mail_project, which is the Ruby gem.

I'm not sure whether it's related, but the central analyzer also seems much slower in 2.1.1. v2.1.0 took about 15 seconds on my project, but 2.1.1 takes nearly two minutes. Is there a more aggressive pattern-matching approach in 2.1.1?

I'll look into this as soon as I've gotten the database branch to build on travis...

FWIW, some (more) false positives:

Filename: lombok-1.16.18.jar | Reference: CVE-2016-0749 | CVSS Score: 10.0 | Category: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer | The smartcard interaction in SPICE allows remote attackers to cause a denial of service (QEMU-KVM process crash) or possibly execute arbitrary code via vectors related to connecting to a guest VM, which triggers a heap-based buffer overflow.

Filename: lombok-1.16.18.jar | Reference: CVE-2016-2150 | CVSS Score: 3.6 | Category: CWE-284 Improper Access Control | SPICE allows local guest OS users to read from or write to arbitrary host memory locations via crafted primary surface parameters, a similar issue to CVE-2015-5261.

@ThrawnCA regarding the central analyzer - as best I can tell, there are problems with the API from Central.

These FP have been fixed in the base and will be included in the 3.0.0 release.

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.