mirror of
https://github.com/ysoftdevs/DependencyCheck.git
synced 2026-01-13 15:23:40 +01:00
308 lines
15 KiB
HTML
308 lines
15 KiB
HTML
<!DOCTYPE html>
|
|
<!--
|
|
| Generated by Apache Maven Doxia Site Renderer 1.7.1 at 2017-01-22
|
|
| Rendered using Apache Maven Fluido Skin 1.5
|
|
-->
|
|
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
|
|
<head>
|
|
<meta charset="UTF-8" />
|
|
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
|
|
<meta name="Date-Revision-yyyymmdd" content="20170122" />
|
|
<meta http-equiv="Content-Language" content="en" />
|
|
<title>dependency-check – Resolving False Negatives</title>
|
|
<link rel="stylesheet" href="../css/apache-maven-fluido-1.5.min.css" />
|
|
<link rel="stylesheet" href="../css/site.css" />
|
|
<link rel="stylesheet" href="../css/print.css" media="print" />
|
|
|
|
|
|
<script type="text/javascript" src="../js/apache-maven-fluido-1.5.min.js"></script>
|
|
|
|
<style type="text/css">
|
|
#bannerLeft { margin-top:-20px;margin-bottom:5px !important }
|
|
</style>
|
|
</head>
|
|
<body class="topBarDisabled">
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<a href="https://github.com/jeremylong/DependencyCheck">
|
|
<img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;"
|
|
src="https://s3.amazonaws.com/github/ribbons/forkme_right_gray_6d6d6d.png"
|
|
alt="Fork me on GitHub">
|
|
</a>
|
|
|
|
|
|
|
|
|
|
<div class="container-fluid">
|
|
<div id="banner">
|
|
<div class="pull-left">
|
|
<div id="bannerLeft">
|
|
<img src="../images/dc.svg" alt="OWASP dependency-check"/>
|
|
</div>
|
|
</div>
|
|
<div class="pull-right"> </div>
|
|
<div class="clear"><hr/></div>
|
|
</div>
|
|
|
|
<div id="breadcrumbs">
|
|
<ul class="breadcrumb">
|
|
|
|
<li class="">
|
|
<a href="../#" title="">
|
|
</a>
|
|
<span class="divider">/</span>
|
|
</li>
|
|
<li class="active ">Resolving False Negatives</li>
|
|
|
|
|
|
<li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2017-01-22</li>
|
|
<li id="projectVersion" class="pull-right">
|
|
Version: 1.4.5
|
|
</li>
|
|
|
|
</ul>
|
|
</div>
|
|
|
|
|
|
<div class="row-fluid">
|
|
<div id="leftColumn" class="span2">
|
|
<div class="well sidebar-nav">
|
|
|
|
<ul class="nav nav-list">
|
|
<li class="nav-header">OWASP dependency-check</li>
|
|
|
|
<li>
|
|
|
|
<a href="../index.html" title="General">
|
|
<span class="icon-chevron-down"></span>
|
|
General</a>
|
|
<ul class="nav nav-list">
|
|
|
|
<li>
|
|
|
|
<a href="../general/internals.html" title="How it Works">
|
|
<span class="none"></span>
|
|
How it Works</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="../general/thereport.html" title="Reading the Report">
|
|
<span class="none"></span>
|
|
Reading the Report</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="../general/suppression.html" title="False Positives">
|
|
<span class="none"></span>
|
|
False Positives</a>
|
|
</li>
|
|
|
|
<li class="active">
|
|
|
|
<a href="#"><span class="none"></span>False Negatives</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="../data/index.html" title="Internet Access Required">
|
|
<span class="icon-chevron-right"></span>
|
|
Internet Access Required</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="../related.html" title="Related Work">
|
|
<span class="none"></span>
|
|
Related Work</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="../general/dependency-check.pptx" title="Project Presentation (pptx)">
|
|
<span class="none"></span>
|
|
Project Presentation (pptx)</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="../general/dependency-check.pdf" title="Project Presentation (pdf)">
|
|
<span class="none"></span>
|
|
Project Presentation (pdf)</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="../general/SampleReport.html" title="Sample Report">
|
|
<span class="none"></span>
|
|
Sample Report</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="../general/scan_iso.html" title="How to Scan an ISO Image">
|
|
<span class="none"></span>
|
|
How to Scan an ISO Image</a>
|
|
</li>
|
|
</ul>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="../analyzers/index.html" title="File Type Analyzers">
|
|
<span class="icon-chevron-right"></span>
|
|
File Type Analyzers</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="../modules.html" title="Modules">
|
|
<span class="icon-chevron-right"></span>
|
|
Modules</a>
|
|
</li>
|
|
<li class="nav-header">Project Documentation</li>
|
|
|
|
<li>
|
|
|
|
<a href="../project-info.html" title="Project Information">
|
|
<span class="icon-chevron-right"></span>
|
|
Project Information</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="../project-reports.html" title="Project Reports">
|
|
<span class="icon-chevron-right"></span>
|
|
Project Reports</a>
|
|
</li>
|
|
</ul>
|
|
|
|
|
|
<hr />
|
|
|
|
<div id="poweredBy">
|
|
|
|
<script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
|
|
|
|
|
|
<div class="g-plusone" data-href="https://github.com/jeremylong/DependencyCheck.git" data-size="tall" ></div>
|
|
|
|
<div class="clear"></div>
|
|
<div class="clear"></div>
|
|
|
|
|
|
|
|
<div id="twitter">
|
|
|
|
<a href="https://twitter.com/ctxt" class="twitter-follow-button" data-show-count="true" data-align="left" data-size="medium" data-show-screen-name="true" data-lang="en">Follow ctxt</a>
|
|
<script type="text/javascript">!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="//platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs");</script>
|
|
|
|
</div>
|
|
<div class="clear"></div>
|
|
<div class="clear"></div>
|
|
<a href="http://maven.apache.org/" title="Maven" class="builtBy">
|
|
<img class="builtBy" alt="built with maven" src="http://jeremylong.github.io/DependencyCheck/images/logos/maven-feather.png" />
|
|
</a>
|
|
<a href="http://www.jetbrains.com/idea/" title="IntelliJ" class="builtBy">
|
|
<img class="builtBy" alt="developed using" src="http://jeremylong.github.io/DependencyCheck/images/logos/logo_intellij_idea.png" width="170px" />
|
|
</a>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
|
|
|
|
<div id="bodyColumn" class="span10" >
|
|
|
|
<h1>Resolving False Negatives</h1>
|
|
<p>Due to how dependency-check identifies libraries, false negatives may occur (a CPE was NOT identified for a library). Identifying these false negatives can be accomplished using the HTML report. In the report, click on the “Display: Showing Vulnerable Dependencies (click to show all)” link. You can then browse the dependencies and review the CPEs that are there for accuracy. You can also review the dependencies where no CPE match was made. Using the CPE dictionary search manually to verify that there is a CPE to match is a good verification that a false negative has been found. If you identify a dependency that is missing a CPE you can add evidence to help identify the correct CPE.</p>
|
|
<p>A possible reason for false negatives is re-naming of either the vendor or library name over time. Another case is when an artifact has missing info (manifest with no vendor).</p>
|
|
<p>Dependency Check has a built in <a class="externalLink" href="https://github.com/jeremylong/DependencyCheck/blob/master/dependency-check-core/src/main/resources/dependencycheck-base-hint.xml">hints</a> file that is used in every check to help correct well known false negatives.</p>
|
|
<p>A sample hints file that add a product name and possible vendors for Spring framework dependencies would look like:</p>
|
|
|
|
<div class="source">
|
|
<div class="source"><pre class="prettyprint linenums"><?xml version="1.0" encoding="UTF-8"?>
|
|
<hints xmlns="https://jeremylong.github.io/DependencyCheck/dependency-hint.1.1.xsd">
|
|
<hint>
|
|
<given>
|
|
<evidence type="product" source="Manifest" name="Implementation-Title" value="Spring Framework" confidence="HIGH"/>
|
|
<evidence type="product" source="Manifest" name="Implementation-Title" value="org.springframework.core" confidence="HIGH"/>
|
|
<evidence type="product" source="Manifest" name="Implementation-Title" value="spring-core" confidence="HIGH"/>
|
|
</given>
|
|
<add>
|
|
<evidence type="product" source="hint analyzer" name="product" value="springsource_spring_framework" confidence="HIGH"/>
|
|
<evidence type="vendor" source="hint analyzer" name="vendor" value="SpringSource" confidence="HIGH"/>
|
|
<evidence type="vendor" source="hint analyzer" name="vendor" value="vmware" confidence="HIGH"/>
|
|
<evidence type="vendor" source="hint analyzer" name="vendor" value="pivotal" confidence="HIGH"/>
|
|
</add>
|
|
</hint>
|
|
</hints>
|
|
|
|
</pre></div></div>
|
|
<p>The above XML file will add the 4 evidence entries to any dependency that matches any one of the 3 givens.</p>
|
|
<p>The following shows some other ways to add evidence</p>
|
|
|
|
<div class="source">
|
|
<div class="source"><pre class="prettyprint linenums"><?xml version="1.0" encoding="UTF-8"?>
|
|
<hints xmlns="https://jeremylong.github.io/DependencyCheck/dependency-hint.1.1.xsd">
|
|
<hint>
|
|
<given>
|
|
<evidence type="product" source="jar" name="package name" value="springframework" confidence="LOW"/>
|
|
<fileName contains="spring"/>
|
|
</given>
|
|
<add>
|
|
<evidence type="product" source="hint analyzer" name="product" value="springsource_spring_framework" confidence="HIGH"/>
|
|
<evidence type="vendor" source="hint analyzer" name="vendor" value="SpringSource" confidence="HIGH"/>
|
|
<evidence type="vendor" source="hint analyzer" name="vendor" value="vmware" confidence="HIGH"/>
|
|
<evidence type="vendor" source="hint analyzer" name="vendor" value="pivotal" confidence="HIGH"/>
|
|
</add>
|
|
</hint>
|
|
<hint>
|
|
<given>
|
|
<fileName contains="my-thelib-.*\.jar" regex="true" caseSensitive="true"/>
|
|
</given>
|
|
<add>
|
|
<evidence type="product" source="hint analyzer" name="product" value="thelib" confidence="HIGH"/>
|
|
<evidence type="vendor" source="hint analyzer" name="vendor" value="thevendor" confidence="HIGH"/>
|
|
</add>
|
|
</hint>
|
|
</hints>
|
|
</pre></div></div>
|
|
<p>The full schema for hints files can be found here: <a class="externalLink" href="https://github.com/jeremylong/DependencyCheck/blob/master/dependency-check-core/src/main/resources/schema/dependency-hint.1.1.xsd" title="Hint Schema">dependency-hint.xsd</a></p>
|
|
<p>Please see the appropriate configuration option in each interfaces configuration guide:</p>
|
|
|
|
<ul>
|
|
|
|
<li><a href="../dependency-check-cli/arguments.html">Command Line Tool</a></li>
|
|
|
|
<li><a href="../dependency-check-maven/configuration.html">Maven Plugin</a></li>
|
|
|
|
<li><a href="../dependency-check-ant/configuration.html">Ant Task</a></li>
|
|
|
|
<li><a href="../dependency-check-jenkins/index.html">Jenkins Plugin</a></li>
|
|
</ul>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
|
|
<hr/>
|
|
|
|
<footer>
|
|
<div class="container-fluid">
|
|
<div class="row-fluid">
|
|
<p >Copyright © 2012–2017
|
|
<a href="http://www.owasp.org">OWASP</a>.
|
|
All rights reserved.
|
|
</p>
|
|
</div>
|
|
|
|
|
|
</div>
|
|
</footer>
|
|
</body>
|
|
</html>
|