Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Failing vulnerability producing incorrect/misleading vulnerability report

See original GitHub issue

Describe the bug Screenshot 2019-07-09 at 11 29 21

The last two report messages seem to be false alarms (possibly also the second one in the screenshot as well for the same vulnerability).

kamon-akka_2.12-2.0.0-RC3.jar (pkg:maven/io.kamon/kamon-akka_2.12@2.0.0-RC3, cpe:2.3:a:akka:akka:2.0.0.rc3:*:*:*:*:*:*:*) : CVE-2017-1000034
kamon-akka-http_2.12-2.0.0-RC3.jar (pkg:maven/io.kamon/kamon-akka-http_2.12@2.0.0-RC3, cpe:2.3:a:akka:akka:2.0.0.rc3:*:*:*:*:*:*:*) : CVE-2017-1000034

kamon-akka & kamon-akka-http use akka version 2.5.22 which is above both 2.4.16 & 2.5 M1. I don’t understand why it’s not aligning with the CVE-2017-1000034 report. https://nvd.nist.gov/vuln/detail/CVE-2017-1000034

Screenshot 2019-07-09 at 11 32 07

Screenshot 2019-07-09 at 11 31 53

** Version of sbt-dependency-check used ** 1.1.0

** Log file ** https://gist.github.com/cosmir17/f75f9955e48f8b995ef4110e272c3f06

To Reproduce Steps to reproduce the behavior:

Go to ‘…’
Click on ‘…’
Scroll down to ‘…’
See error

Expected behavior A clear and concise description of what you expected to happen.

Additional context Add any other context about the problem here.

Issue Analytics

State:
Created 4 years ago
Comments:7 (2 by maintainers)

Top GitHub Comments

2reactions

jeremylongcommented, Jul 9, 2019

Thanks for reporting the false positives. Due to how dependency-check works false positives due occur. If you generate the full HTML report generating a suppression file is very easy.

I have opened up https://github.com/jeremylong/DependencyCheck/issues/2050 and we will resolve the FP in the next release of dependency-check-core.

0reactions

cosmir17commented, Jul 16, 2019

@albuch Thank you for your reply. I came up with the following from your documentation. dependencyCheckSuppressionFiles += new File("dependency-suppressions.xml") Thank you 👍

Top Results From Across the Web

Vulnerability Report - GitLab Docs

The Vulnerability Report provides information about vulnerabilities from scans ... False positive : The scanner determined this vulnerability to be a false ......

false positive vulnerabilities - IBM

Commonly, false positives in vulnerability scanning occur when the scanner can access only a subset of the required information, which prevents it from ......

What is a vulnerability disclosure and why is it important?

Vulnerability disclosure is the practice of reporting security flaws in computer software or hardware. Security researchers, IT security teams, ...

Vulnerability scans and false positives: the importance of ...

It then reports the vulnerability and the page it was found on. ... In reality, these results are false positives, as the attempt...

Can You Trust Your Vulnerability Report? - Syxsense

Can You Trust Your Vulnerability Report? Vulnerability reporting is critical, but not every patch management tool provides data you can rely on.