Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

More false positives since DC 2.1.1

See original GitHub issue

I’m seeing a change in behavior for the DC 2.1.1 release:

More Jars are reported as false positives than before the release: e.g.:

  • mailapi-1.5.6.jar, which was already used in the exact same version in DC 2.1.0, is now falsely reported as CVE-2015-9097 since DC 2.1.1.
  • joda-time-1.6.jar is now falsely reported as CVE-2014-5169
  • javax.json-1.0.4.jar is now falsely reported as CVE-2015-2808 and CVE-2013-2566

See https://gist.github.com/albuch/b9b080cf8d07c528c89b38aa9abb2790 for full report.

The issue occurs when running sbt-dependency-check on itself with dependency-check-core updated to v2.1.1 (for reference: https://github.com/albuch/sbt-dependency-check/pull/28).

@jeremylong do you have any idea why these are newly reported as false positives?

Issue Analytics

  • State:closed
  • Created 6 years ago
  • Comments:8 (4 by maintainers)

github_iconTop GitHub Comments

2reactions
jeremylongcommented, Sep 21, 2017

I’ll look into this as soon as I’ve gotten the database branch to build on travis…

1reaction
cardamoncommented, Oct 6, 2017

FWIW, some (more) false positives:

Filename: lombok-1.16.18.jar | Reference: CVE-2016-0749 | CVSS Score: 10.0 | Category: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer | The smartcard interaction in SPICE allows remote attackers to cause a denial of service (QEMU-KVM process crash) or possibly execute arbitrary code via vectors related to connecting to a guest VM, which triggers a heap-based buffer overflow.

Filename: lombok-1.16.18.jar | Reference: CVE-2016-2150 | CVSS Score: 3.6 | Category: CWE-284 Improper Access Control | SPICE allows local guest OS users to read from or write to arbitrary host memory locations via crafted primary surface parameters, a similar issue to CVE-2015-5261.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Dual-Antigen System Allows Elimination of False Positive ...
Combining nucleocapsid protein and receptor-binding domain for analysis allowed us to completely eliminate false positive results in the ...
Read more >
Estimating the false positive rate of highly automated SARS ...
We consider these three tests false positives and estimate the overall false positive rate of high-throughput automated, sample-to-answer ...
Read more >
Potential for False Positive Results with Antigen Tests ... - FDA
Laboratories should expect some false positive results when screening large populations with a low prevalence of COVID-19 infection.
Read more >
ON THE LOW FALSE POSITIVE PROBABILITIES OF KEPLER ...
Since Kepler has detected many more planetary signals than can be positively ... The false positive term can be further broken down accounting...
Read more >
False positives and false negatives with a cocaine-specific ...
With all these discussions, cobalt thiocyanate tests such as the Scott test are still the most popular field tests for cocaine. The aim...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

[2.1.1/Maven plugin] Build failure due to connection error - Unable to connect to 'https://api.nodesecurity.io/check'

Next page

Error reading CPE data