Comments (3)
jeremylong
commented on August 28, 2024
With the 2.1.1 release a change was made to reduce false negatives - unfortunately, it did increase the false positive rate. See jeremylong/DependencyCheck#894 (comment). I believe most of the false positive that were introduced can be corrected with a few simple suppression rules that will be added to the core engine.
from dependency-check-gradle.
DangerPete
commented on August 28, 2024
Cool. Thanks.
If you don't mind I'll just add more suspected FP's here since trying to upgrade another library to 2.1.1. Happy to open a report under the other project if it makes housekeeping easier:
CVE-2015-7545, CVE-2015-7082, CVE-2014-9938, CVE-2013-0308, CVE-2010-3906, CVE-2010-2542
hystrix-codahale-metrics-publisher-1.5.13.jar (com.netflix.hystrix:hystrix-codahale-metrics-publisher:1.5.13, cpe:/a:git:git:1.5.13, cpe:/a:git_project:git:1.5.13) : CVE-2015-7545, CVE-2015-7082, CVE-2014-9938, CVE-2013-0308, CVE-2010-3906, CVE-2010-2542
hystrix-metrics-event-stream-1.5.13.jar (com.netflix.hystrix:hystrix-metrics-event-stream:1.5.13, cpe:/a:git:git:1.5.13, cpe:/a:git_project:git:1.5.13) : CVE-2015-7545, CVE-2015-7082, CVE-2014-9938, CVE-2013-0308, CVE-2010-3906, CVE-2010-2542
hystrix-serialization-1.5.13.jar (com.netflix.hystrix:hystrix-serialization:1.5.13, cpe:/a:git:git:1.5.13, cpe:/a:git_project:git:1.5.13) : CVE-2015-7545, CVE-2015-7082, CVE-2014-9938, CVE-2013-0308, CVE-2010-3906, CVE-2010-2542
javax.annotation-api-1.2.jar (cpe:/a:oracle:glassfish:1.2, javax.annotation:javax.annotation-api:1.2) : CVE-2015-2808, CVE-2013-2566
javax.servlet-api-3.1.0.jar (cpe:/a:oracle:glassfish:3.1.0, javax.servlet:javax.servlet-api:3.1.0) : CVE-2015-2808, CVE-2013-2566
from dependency-check-gradle.
lock
commented on August 28, 2024
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
from dependency-check-gradle.
Related Issues (20)
- NVD api requests are failing in version 9.0.1 HOT 5
- OutOfMemoryError after upgrading to v9 HOT 2
- 9.0.2 `dependencyCheckAnalyze` fails with `NoSuchMethodError` Jackson `NativeImageUtil` method HOT 8
- False positives with conflicted version resolution HOT 3
- Force use of vulnerable dependency to check if project works HOT 6
- java.util.concurrent.ExecutionException: org.gradle.api.GradleException: Failed to create Jar file /home/gradle/.gradle/caches/jars-9/b434e5cc9816519e3d9b77bd3c65f31a/jackson-core-2.16.0.jar. when try to upgrade the Owasp latest 9.0.0 version in Gitlab Pipeline HOT 1
- Dependency report configuration (size) HOT 2
- Default scanset omits pnpm-lock.yaml
- Support for vulnerability analysis of gradle version catalog HOT 1
- default data directory in v9
- Database Compability Issue when using Spring Boot 3.2.0
- Sources link on GPP doesn't point to a URL HOT 2
- How to configure the NVD API key? HOT 1
- Redacting the HTML Report HOT 1
- Can props from build.gradle.kts be overwritten with -D or -P parameter? HOT 3
- Lots of NVD API request failures HOT 1
- Error when trying to build image with jib. HOT 3
- java.lang.ClassNotFoundException: org.apache.commons.codec.Charsets with 9.0.10 HOT 6
- Build never finishes with AGP 8.3 HOT 1
- Possibly conflicting information regarding gradle subprojects HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dependency-check-gradle.