add general hints document explaining false negatives

2026-01-13 15:23:40 +01:00 · 2016-09-20 21:01:27 -07:00
parent b9ea82f2c1
commit 0794efcf41
1 changed files with 46 additions and 5 deletions
--- a/src/site/markdown/general/hints.md
+++ b/src/site/markdown/general/hints.md
@@ -1,20 +1,61 @@
 Resolving False Negatives
 ====================
-Due to how dependency-check identifies libraries false negatives may occur (a CPE was identified that is incorrect). Suppressing these false positives is fairly easy using the HTML report. In the report next to each CPE identified (and on CVE entries) there is a suppress button. Clicking the suppression button will create a dialogue box which you can simple hit Control-C to copy the XML that you would place into a suppression XML file. If this is the first time you are creating the suppression file you should click the "Complete XML Doc" button on the top of the dialogue box to add the necessary schema elements.
+Due to how dependency-check identifies libraries, false negatives may occur (a CPE was NOT identified for a library). Identifying these false negatives can be accomplished using the HTML report. In the report, click on the "Display: Showing Vulnerable Dependencies (click to show all)" link. You can then browse the dependencies and review the CPEs that are there for accuracy. You can also review the dependencies where no CPE match was made. Using the CPE dictionary search manually to verify that there is a CPE to match is a good verification that a false negative has been found. If you identify a dependency that is missing a CPE you can add evidence to help identify the correct CPE.

-A sample hints file would look like:
+A possible reason for false negatives is re-naming of either the vendor or library name over time. Another case is when an artifact has missing info (manifest with no vendor).
+
+Dependency Check has a built in [hints](https://github.com/jeremylong/DependencyCheck/blob/master/dependency-check-core/src/main/resources/dependencycheck-base-hint.xml) file that is used in every check to help correct well known false negatives.
+
+A sample hints file that add a product name and possible vendors for Spring framework dependencies would look like:

 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
+<hints xmlns="https://jeremylong.github.io/DependencyCheck/dependency-hint.1.1.xsd">
+    <hint>
+        <given>
+            <evidence type="product" source="Manifest" name="Implementation-Title" value="Spring Framework" confidence="HIGH"/>
+            <evidence type="product" source="Manifest" name="Implementation-Title" value="org.springframework.core" confidence="HIGH"/>
+            <evidence type="product" source="Manifest" name="Implementation-Title" value="spring-core" confidence="HIGH"/>
+        </given>
+        <add>
+            <evidence type="product" source="hint analyzer" name="product" value="springsource_spring_framework" confidence="HIGH"/>
+            <evidence type="vendor" source="hint analyzer" name="vendor" value="SpringSource" confidence="HIGH"/>
+            <evidence type="vendor" source="hint analyzer" name="vendor" value="vmware" confidence="HIGH"/>
+            <evidence type="vendor" source="hint analyzer" name="vendor" value="pivotal" confidence="HIGH"/>
+        </add>
+    </hint>
+</hints>

 ```
-The above XML file will
+The above XML file will add the 4 evidence entries to any dependency that matches any one of the 3 givens.

-The following shows some other ways to
+The following shows some other ways to add evidence

 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
-
+<hints xmlns="https://jeremylong.github.io/DependencyCheck/dependency-hint.1.1.xsd">
+   <hint>
+        <given>
+            <evidence type="product" source="jar" name="package name" value="springframework" confidence="LOW"/>
+            <fileName contains="spring"/>
+        </given>
+        <add>
+            <evidence type="product" source="hint analyzer" name="product" value="springsource_spring_framework" confidence="HIGH"/>
+            <evidence type="vendor" source="hint analyzer" name="vendor" value="SpringSource" confidence="HIGH"/>
+            <evidence type="vendor" source="hint analyzer" name="vendor" value="vmware" confidence="HIGH"/>
+            <evidence type="vendor" source="hint analyzer" name="vendor" value="pivotal" confidence="HIGH"/>
+        </add>
+   </hint>
+   <hint>
+        <given>
+            <fileName contains="my-thelib-.*\.jar" regex="true" caseSensitive="true"/>
+        </given>
+        <add>
+            <evidence type="product" source="hint analyzer" name="product" value="thelib" confidence="HIGH"/>
+            <evidence type="vendor" source="hint analyzer" name="vendor" value="thevendor" confidence="HIGH"/>
+        </add>
+  </hint>
+</hints>
 ```

 The full schema for hints files can be found here: [dependency-hint.xsd](https://github.com/jeremylong/DependencyCheck/blob/master/dependency-check-core/src/main/resources/schema/dependency-hint.1.1.xsd "Hint Schema")