github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-04-30 20:24:32 +02:00
Code Issues Packages Projects Releases Wiki Activity

version 1.2.5 of the documentation

Browse Source
This commit is contained in:
Jeremy Long
2014-09-17 05:43:14 -04:00
parent c9a8bb3969
commit b31c4d94c4
988 changed files with 22559 additions and 19785 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
thereport.html
View File

@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
| Generated by Apache Maven Doxia at 2014-08-05
| Generated by Apache Maven Doxia at 2014-09-16
| Rendered using Apache Maven Fluido Skin 1.3.1
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta name="Date-Revision-yyyymmdd" content="20140805" />
<meta name="Date-Revision-yyyymmdd" content="20140916" />
<meta http-equiv="Content-Language" content="en" />
<title>dependency-check - How To Read The Report</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.3.1.min.css" />
@@ -62,9 +62,9 @@
<li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2014-08-05</li>
<li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2014-09-16</li>
<li id="projectVersion" class="pull-right">
Version: 1.2.4
Version: 1.2.5
</li>
</ul>
@@ -248,7 +248,7 @@
<div id="bodyColumn" class="span9" >
<h1>How To Read The Report</h1>
<p>There is a lot of information contained in the HTML version of the report. When analyzing the results, the first thing one should do is determine if the CPE looks appropriate. Due to the way dependency-check works (see above) the report may contain false positives; these false positives are primarily on the CPE values. If the CPE value is wrong, this is usually obvious and one should use the suppression feature in the report to generate a suppression XML file that can be used on future scans. In addition to just looking at the CPE values in comparison to the name of the dependency - one may also consider the confidence of the CPE (as discussed in <a href="./internals.html">How does dependency-check work</a>). See the (Suppression False Positives)[./suppression.html] page for more information on how to generate and use the suppression file.</p>
<p>There is a lot of information contained in the HTML version of the report. When analyzing the results, the first thing one should do is determine if the CPE looks appropriate. Due to the way dependency-check works (see above) the report may contain false positives; these false positives are primarily on the CPE values. If the CPE value is wrong, this is usually obvious and one should use the suppression feature in the report to generate a suppression XML file that can be used on future scans. In addition to just looking at the CPE values in comparison to the name of the dependency - one may also consider the confidence of the CPE (as discussed in <a href="./internals.html">How does dependency-check work</a>). See the <a href="./suppression.html">Suppressing False Positives</a> page for more information on how to generate and use the suppression file.</p>
<p>Once you have weeded out any obvious false positives one can then look at the remaining entries and determine if any of the identified CVE entries are actually exploitable in your environment. Determining if a CVE is exploitable in your environment can be tricky - for this I do not currently have any tips other then upgrade the library if you can just to be safe. Note, some CVE entries can be fixed by either upgrading the library or changing configuration options.</p>
<p>One item that dependency-check flags that many may think is a false positive are old database drivers. One thing to consider about an old database driver is that the CPE/CVEs identified are usually for the server rather then the driver. However, the presence of an old driver may indicate that you have an older version of the server running in your environment and that server may need to be patched or upgraded. However, in some cases the old database drivers are actually unused, transitive dependencies from other dependencies.</p>
<h1>Regarding False Negatives</h1>