Multiple false positive for ICU DLL #7337
Comments
|
Sorry, i forgot: I'm using the cli 12.0.0. |
|
You're not showing what the library itself is recognized as, you're only showing the truncated details of a vulnerability. |
|
Hello @aikebah , You are right, my description is a little short. The vulnerability is CVE-2016-7415. What do you need as additional informations ? Thanks |
|
@breizh31 The more relevant part, besides the CVE is the information on what library is reported to have it (the identifiers section of the HTML report) and the information that dependency check extracted from your library (the evidences section of the HTML report) |
|
The evidence is on 74.2.0.0 but the identifier uses version *. Surely why a lots of vulnerabilities on previous versions are reported, isn't it ? |
|
Right, looks like a bug of some kind in the determination of the version of this component. I'll at least flag is as a bug rather than a question, since with the evidences discovered it should not be flagging CVEs that are for a version smaller than 74.x |
|
Can you take a look inside the 'related dependencies' what other libraries from your scan are also bundled up under this same ICU DLL umbrella in the report? |
|
Hello @aikebah , Sure
Thanks, |
Hello,
I don't know if it is a bug or a misconfiguration, but i'm scanning a project with an ICU DLL (icudt74.dll) and i'm facing to a lots of false positive because the version seems to be ignored.
See attachment: CVE for 57.1, analyzed version 74.2.
Thanks,
The text was updated successfully, but these errors were encountered: