Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Composer packages with hyphen not resolved to correct CPE
See original GitHub issueDescribe the bug
We currently have php-ampqlib as a composer dependency in our project at version 2.6.3. When running the dependency check, lots of vulnerabilities are erroneously listed against the package.
This is because the CPE assigned is cpe:2.3:a:php:php:2.6.3:*:*:*:*:*:*:* which is for the main PHP library. Which means we end up with hundreds of vulns that aren’t even related.
Version of dependency-check used 6.0.3
Log file currently don’t have but can be provided
To Reproduce Steps to reproduce the behaviour:
- Require
php-ampqlibas a dependency in a composer project - Run DependencyCheck on the project
Expected behaviour Only vulns related to the package should be shown - not those of PHP entirely
Additional context N/A
Issue Analytics
- State:
- Created 3 years ago
- Comments:6 (1 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@jeremylong This is definitely a bug that package names are split up incorrectly on hyphens and then false positives are generated for all name parts. Since dependency check version 6, our suppression list is growing extremely.
@jeremylong Thank you for the explanation. Due to the accumulation of false positives since the last major update in combination with packages with hyphens in the name I assumed a bug. But if the behavior is so desired or necessary to avoid false negatives, I create FP reports.