search

clj-holmes / clj-watson

clojure deps SCA
Eclipse Public License 2.0
77 stars 8 forks source link

Encourage folks improve DependencyCheck by submitting false positives #101

Open lread opened 1 month ago

lread commented 1 month ago

Currently

If a user hits a false positive, they might simply suppress it. See #55.

But...

If we encourage users to submit false positives (and potentially fixes) back to DependencyCheck, we improve tooling for everyone.

For example, here's me submitting a false positive for some jetty libs and here's my fix.

Next Steps

For this to be viable, we'd also need to report the cpe in findings.

And then describe/encourage in the clj-watson README.

seancorfield commented 2 weeks ago

I created #121 to deal with the cpe reporting. I'll make it part of 6.1.

lread commented 2 weeks ago

Good idea, thanks!