Google’s Autovm security team has recently discovered that dependency scanning tools often incorrectly report vulnerabilities in software, which may not actually pose a real security threat or require any action. In a new Google blog post, the team highlights the most common types of false positives and provides tips on how to identify them.
The main issue with third-party dependency scanners is that they check the versions of packages installed on hosts and compare them with public vulnerability databases. While this method can help determine if packages are at risk of known vulnerabilities, it often results in false or irrelevant security reports, leading to inaccurate results.
One common source of false positives is errors in the vulnerability databases themselves, such as the National Vulnerability Database (NVD) or specific data sources for operating systems. Sometimes vulnerabilities are incorrectly identified or later retracted after further analysis. For instance, the vulnerability CVE-2023-4881 was determined to not be a security threat, but scanners continued to flag it. Discrepancies between information in the NVD database and data provided by specific operating system distributions can also lead to inaccurate reports.
Another issue is the broad version ranges of vulnerable software listed in general databases, which may not consider patches independently produced by operating system distributions. For example, the vulnerability CVE-2020-14422, affecting Python version 3.6.10, was addressed in Ubuntu with a patch release. However, many scanners still identify this version as vulnerable.
There are instances where vulnerabilities only apply to certain system configurations, but scanners do not always account for this. For example, the vulnerability CVE-2023-52426 impacts packages compiled with specific flags, which are not used in Ubuntu Focal. Therefore, the vulnerability is not relevant in this case, yet some scanners still flag it.
Incomplete data in vulnerability databases can also contribute to the issue, as seen with CVE-2022-3857, where different databases provided conflicting information about affected package versions. This can lead to scanners erroneously reporting vulnerabilities on systems that are actually secure.