Description
We are experiencing a large number of false positives when running OWASP Dependency-Check with the Composer Lock Analyzer, which seems to have increased after PR #7295 ("add product evidence as vendor to reduce FN").
Earlier, this topic was discussed in issue #7444 with nuget and composer examples, which was closed after adding some global suppressions. However, the problem for Composer projects remains significant.
Test setup
- Added
composer.lock into the resources folder
- Ran dependency-check locally with:
--out . \
--scan ./src/test/resources/composer.lock \
--nvdDatafeed https://<own-nvd-cache>/nvdcve-{0}.json.gz \
--enableExperimental \
--log ./dependency-check.debug.log
Results
Discussion
I understand the Composer Lock Analyzer is still experimental, but the number of false positives seems extremely high.
I would like to re-open the discussion on Composer Lock evidences:
- Is this the intended behavior, requiring users to manually suppress these findings?
- Or should the analyzer be more conservative with evidence scoring to avoid overwhelming the results with near-100% false positives?
Description
We are experiencing a large number of false positives when running OWASP Dependency-Check with the Composer Lock Analyzer, which seems to have increased after PR #7295 ("add product evidence as vendor to reduce FN").
Earlier, this topic was discussed in issue #7444 with nuget and composer examples, which was closed after adding some global suppressions. However, the problem for Composer projects remains significant.
Test setup
composer.lockinto theresourcesfolderResults
With current main (including PR#7295 changes)
Without the MEDIUM and HIGH confidence matches from PR#7295
Discussion
I understand the Composer Lock Analyzer is still experimental, but the number of false positives seems extremely high.
I would like to re-open the discussion on Composer Lock evidences: