Best Practice for Handling Rejected or Withdrawn CVE Entries So No Further False Positives Appear #3622
jreed-cartago
started this conversation in
General
Best Practice for Handling Rejected or Withdrawn CVE Entries So No Further False Positives Appear
#3622
Replies: 1 comment
-
|
Did you find a solution for this? We are facing the same issue. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi,
Currently we're getting started using the DependencyTrack, and we've noticed that when we have the same project with multiple versions and the first version gets hit with a CVE that when reviewed says that it has been withdrawn (in this case https://www.cve.org/CVERecord?id=CVE-2022-41852), so we mark it as a False Positive. Then when the next version is processed it also has this same CVE being identified, although we have already said this is a false positive because it has been withdrawn.
What would be the right way to handle this? I would like to reduce the workload and have these false positives not appear in subsequent processing of future versions. Is there a way to tell Dependency Track that it should ignore certain (specifically those that are no longer valid) CVEs across all projects?
Beta Was this translation helpful? Give feedback.
All reactions