Dependencycheck: Why so many false positives

Created on 2 Feb 2019  路  2Comments  路  Source: jeremylong/DependencyCheck

Hi Jeremy / all,

thanks for the work on this project!

I wonder why is it subject so often to false positives. It seems a paradoxical situation, given that you belong to OWASP, so one could imagine differences in formats/etc would get eventually solved.

I realise that this is probably a FAQ. You could add that FAQ to the README. Perhaps if the problem is explained, someone can come up with a solution which would improve the situation.

Cheers - Victor

question
Source
picture vemv

All 2 comments

If using version 4.x - yes, the FP count went up. The 4.x release was rushed and not anticipated because the project used known vulnerable components in 3.x - and we had to do a major release because we moved the minimum version of Java to 8.

That being said, the team has been working on updating the matching algorithms to reduce the number of false positives - back to the 3.x range (or possible better). I anticipate releasing the 5.0.0-M1 (i.e. milestone 1) release soon. I wouldn't call the 5.0 branch finished when this happens as we are going to continue to make breaking changes prior to the final release of 5.0.0.

Also, at the top of every HTML report are links to how to read the report and suppressing false positives. In general, ODC will have FP due to how the tool works. However, you can go through a simple on-boarding process and create a suppression file for the application (or possibly organization).

jeremylong picture jeremylong on 2 Feb 2019
👍1

This should be resolved with 5.0.0.

jeremylong picture jeremylong on 9 Jun 2019
🎉1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

albuch picture albuch  路  16Comments
ammy1999 picture ammy1999  路  17Comments
mark-senne picture mark-senne  路  37Comments
emartynov picture emartynov  路  24Comments
javixeneize picture javixeneize  路  14Comments