Question involving CVEs

[lucky499]

Hi Team,

As per my understanding dependency check scan tool finds CPEs associated with dependency(in my case openssl/opensslv.h) and then attaches respective CVEs in the dependency-check-report. Is that correct?

Why I am asking is because we have scanned an OL8 based Docker image in which we have openssl-1.1.1k-12.el8_9 and in the dependency check report we are seeing Critical/High CVEs reported but according to our security lead this specific version of openssl-1.1.1k-12.el8_9 doesn't contain any vulnerabilities in OL8 as they were fixed in it's prior versions.

Please find below screenshot for example:

CVE: CVE-2021-3711 and the CPE cpe:2.3:a:openssl:openssl:1.1.1k:*:*:*:*:*:*:*

[jeremylong]

I'd suggest taking a look at How dependency-check works?, Reading the report, and Suppressing False Positives.

As they don't use a standard versioning pattern, ODC will make mistakes. You can simply suppress the false positives.