You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
One of the issues with this checker (IMO) is that it creates too many false positives. One reason is that (up until now) there has not been a good database with mappings between a CVE and actual library coordinates in various ecosystems (for example Maven, NuGet, etc).
At the moment the analyzers in OWASP DependencyCheck simply look at various strings to see if they match. It would be far more relevant to look at the actual coordinates of the dependencies that a project uses. For example for a Maven project: Look at each GAV coordinate that the project uses and see if there's a match in the vulnerability database. This type of analysis would be a great complement to the analysis the tool is already doing.
This can hopefully avoid the problem where a library (dependency) happens to have a similar name as to another library which has a known CVE on it ... and therefore incorrectly gets flagged.
Describe the solution you'd like
Perhaps look at Google's OSV.dev database which can do this mapping.
The text was updated successfully, but these errors were encountered:
The plan is that next year we would move to a different datasource - be it OSV or GHSA or something else. We should have migrated already but we haven't had time as this is going to be a significant re-write.
One of the issues with this checker (IMO) is that it creates too many false positives. One reason is that (up until now) there has not been a good database with mappings between a CVE and actual library coordinates in various ecosystems (for example Maven, NuGet, etc).
At the moment the analyzers in OWASP DependencyCheck simply look at various strings to see if they match. It would be far more relevant to look at the actual coordinates of the dependencies that a project uses. For example for a Maven project: Look at each GAV coordinate that the project uses and see if there's a match in the vulnerability database. This type of analysis would be a great complement to the analysis the tool is already doing.
This can hopefully avoid the problem where a library (dependency) happens to have a similar name as to another library which has a known CVE on it ... and therefore incorrectly gets flagged.
Describe the solution you'd like
Perhaps look at Google's OSV.dev database which can do this mapping.
The text was updated successfully, but these errors were encountered: