> On Aug 7, 2018, at 9:51 AM, Anu Engineer <[email protected]> wrote:
>
> Either I am making a mistake or the Tool is not producing the right messages.
> Can someone take a second look and help me understand if I am making a
> mistake?
In general, the OWASP dependency checker has an extremely high false
positive rate. But it’s worth noting that it’s popularity is rising, so teams
should be getting ready to get bombarded with user requests asking why CVEs are
popping up like mad. There’s a suppression facility, however, so it’ll be as
common as findbugs suppressions I’m sure.
(FWIW, I’ve been giving feedback to that team, including a patch of
mine that’s waiting for the 4.x release. So on the plus side, they are
extremely receptive to making changes.)
