search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.57k stars 541 forks source link

False vulnerability discovery based on matching strings ? #2789

Open Lifter-PL opened 1 year ago

Lifter-PL commented 1 year ago

Current Behavior

When we build our Angular application and scan it, DT shows false vulnerabilities for router:11.2.14 component that we use. These vulnerabilities are related to HARDWARE ROUTERS. See example in picture below - look at the description.

It is not only case for this library. I.e. also for library called "ip" we have the same problem.

Attachments:

  1. Snapshot
  2. Fragment of BOM with Vulnerabilities.

2023-05-26_11h49_34 router-bom-with-vuls_json.txt

Steps to Reproduce

  1. Use DT 4.7.0
  2. Analyze application that depends on "purl" : "pkg:npm/%40angular/router@11.2.14",
  3. Go to to "Audit Vulnerabilities" and check findings.
  4. Check description of "CVE-2008-2173"

Expected Behavior

This set of vulnerabilities shouldn't be identified for this component.

Dependency-Track Version

4.7.x

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist

syalioune commented 1 year ago

Hello @Lifter-PL

Do you have fuzzy matching enabled, especially for components having purl ?

image

If yes, you should disable it. That feature is mainly intended for CPE and to overcome limits of NVD database for certain types of components.

Lifter-PL commented 1 year ago

Thank you for information. We will verify if it helps.