benjaminwilcox
commented
1 month ago That isn't a false positive though. A false positive would be mistakenly identifying a vulnerability that doesn't exist. In the scenario you mentioned, it's true that a vulnerability does exist in that particular package. It may be a low-risk issue since that package isn't being used, but it's not a false positive. If it's truly unused and doesn't have any dependency chains, then the vulnerable package should just be removed.
There are instances where a package may include a critical or high CVE, but within the environment that particular package isn't being used. In those cases, it will need to be noted in someway that this particular CVE is a false positive. This sounds like it may be the responsibility of the UDS Runtime team to solve, but not 100% sure.