fixed false positives related to Apache POI and MS Office CPE/CVE per issue #126

Former-commit-id: cfde8d86cb339a9f2cf0b8c1f72f5ca198efab8a
2026-01-17 00:56:54 +01:00 · 2014-05-14 19:17:47 -04:00
parent 9a96165655
commit e43003cadc
1 changed files with 8 additions and 0 deletions
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
@@ -250,6 +250,14 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
                        || dependency.getFileName().toLowerCase().endsWith(".dll")
                        || dependency.getFileName().toLowerCase().endsWith(".exe"))) {
                    itr.remove();
+                } else if ((i.getValue().startsWith("cpe:/a:microsoft:excel")
+                        || i.getValue().startsWith("cpe:/a:microsoft:word")
+                        || i.getValue().startsWith("cpe:/a:microsoft:visio")
+                        || i.getValue().startsWith("cpe:/a:microsoft:powerpoint")
+                        || i.getValue().startsWith("cpe:/a:microsoft:office"))
+                        && (dependency.getFileName().toLowerCase().endsWith(".jar")
+                        || dependency.getFileName().toLowerCase().endsWith("pom.xml"))) {
+                    itr.remove();
                } else if (i.getValue().startsWith("cpe:/a:apache:maven")
                        && !dependency.getFileName().toLowerCase().matches("maven-core-[\\d\\.]+\\.jar")) {
                    itr.remove();