Library Identification problem (OSV)

[lbruun]

One of the issues with this checker (IMO) is that it creates too many false positives. One reason is that (up until now) there has not been a good database with mappings between a CVE and actual library coordinates in various ecosystems (for example Maven, NuGet, etc).

At the moment the analyzers in OWASP DependencyCheck simply look at various strings to see if they match. It would be far more relevant to look at the actual coordinates of the dependencies that a project uses. For example for a Maven project: Look at each GAV coordinate that the project uses and see if there's a match in the vulnerability database. This type of analysis would be a great complement to the analysis the tool is already doing.

This can hopefully avoid the problem where a library (dependency) happens to have a similar name as to another library which has a known CVE on it ... and therefore incorrectly gets flagged.

Describe the solution you'd like

Perhaps look at Google's OSV.dev database which can do this mapping.

[jeremylong]

The plan is that next year we would move to a different datasource - be it OSV or GHSA or something else. We should have migrated already but we haven't had time as this is going to be a significant re-write.