Matching mechanism

[Raoul Gheletus]

 

Hello guys,

 

 

I am using the tool from the CLI and my concern is that it provides a lot of false positives.

 

For example, my application uses mina-filter-ssl-1.1.7.jar and the tool identifies a vulnerability (CVE-2004-0009) that refers to Apache-SSL.

 

Could you please help me in making the match with the NVD more “strict” (somehow to put a certain library in the report only if the names are very similar)?

 

 

 

Thank you,

Raoul

________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.

________________________________________________________________________

[Jeremy Long]

Raoul,

Unfortunately, if the matching is restricted too much then you end up with false negatives (i.e. vulnerable libraries that are not reported). I would suggest reading: How dependency-check works, How to Read the Report, and Suppressing False Positives.

The short answer is the tool does fuzzy matching based on textual information obtained from the scanned file. Therre is a fairly simple onboarding process to build a suppression file that can be used during future scans. This is generally a one time setup cost. In addition to creating a local suppression file the team would appreciate it if you posted false positives to the issue list on github.

Alternatively, there are commercial tools in this space - SRC:CLR, Sonatype, BlackDuck, Synopsys AppCheck (formerly Codenomicon's AppCheck), etc.

Best Regards,

Jeremy

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.