<vulnerableSoftware>
<software allPreviousVersion="true">cpe:/a:mariadb:mariadb:5.5.34</software>
<software>cpe:/a:mysql:mysql</software>
</vulnerableSoftware>
This is identical to what can be seen at the website of the NIST NVD itself:
Where mariadb has a ‘last vulnerable version' listed and mysql is listed with wildcard version info, which is another way of documenting ‘to the best of our knowledge this vulnerability applies to all (past, current and future) mysql versions’. Given the NVD entry for CVE-2014-0001 flagging mysql 6.0.6 as vulnerable is the proper behavior for DependencyCheck.
CVE-2012-5627 - again listed for mysql without version numbers by NIST NVD
Status for mysql is unclear to me; on fedora bugtracker it looks like Oracle won’t fix it and Redhat did not consider it sufficiently serious to create a patch themselves (
https://bugzilla.redhat.com/show_bug.cgi?id=883719) searching for an Oracle CPU statement with this CVE yields no results. In the wording of the issue description however it appears as if both mysql and mariadb have been fixed for this issue
CVE-2008-4098 - alongside specific versions they still left the wildcard version as well, so according to the data in the NVD ‘in addtion to the specifically mentioned versions all other versions of mysql are also vulnerable'
No Oracle CPU entry that I could find for this one, but could find listings at "
https://linux.oracle.com/pls/apex/f?p=130:21:::NO:RP::” (search for CVE-2008-4098) that indicate that it was patched and this issue is present only for the versions of MySql prior to 5.0.67 (which corresponds with the last item in NIST NVD’s list: "cpe:2.3:a:mysql:mysql:5.0.51b:*:*:*:*:*:*:* and previous versions")
CVE-2008-0226 - again listed for mysql without version numbers by NIST NVD
issue appears to be fixed in 5.0.67 / 5.1.23 as can still be found on the archived releasenotes
So end-result: all appear to be FPs caused by outdated metadata on the CVEs in the NIST NVD. Until NIST updates their database to correctly list the affected versions of MySQL you can suppress them with a suppression file.
CC-ing NIST NVD to notify them of these errors in their data