Google Warns: Dependency Scanners Often Misreport Vulnerabilities
The AutoVM team at Google has discovered that dependency scanning tools often mistakenly report vulnerabilities in software. These vulnerabilities may either pose no real security threat or require no action. In a recent blog post, Google’s team shares the most common types of false positives and provides tips on how to identify them.
The primary issue stems from third-party dependency scanners checking the versions of installed packages on hosts and cross-referencing them with public vulnerability databases. This process is designed to determine whether packages are exposed to known vulnerabilities. However, these reports frequently contain false or irrelevant security findings, leading to inaccurate results.
One of the most frequent sources of false positives lies in errors within the vulnerability databases themselves, such as the NVD or system-specific data sources. Sometimes, a vulnerability may be dismissed or retracted after a more thorough analysis. For example, CVE-2023-4881 was deemed non-security-related, yet scanners continued to flag it. In some cases, information in the NVD may differ from data provided for specific operating system distributions, resulting in erroneous reports.
Another significant factor is the overly broad version ranges of vulnerable software listed in general databases. These ranges often fail to account for patches that operating system distributions release independently. For instance, CVE-2020-14422, which affects Python version 3.6.10, was patched in Ubuntu, yet many scanners continue to consider this version vulnerable.
There are also instances where a vulnerability applies only to certain system configurations, but scanners do not always take this into account. For example, CVE-2023-52426 affects packages only when compiled with specific flags. In Ubuntu Focal, these flags are not used, making the vulnerability irrelevant, yet some scanners persist in flagging it.
Often, the issue is incomplete data in vulnerability databases, as seen with CVE-2022-3857, where different databases provide conflicting information about the affected package versions. This leads to some scanners erroneously reporting vulnerabilities even on secured systems.
False positives can also arise from incorrect information about the affected binary packages. For example, CVE-2024-6387 impacts only OpenSSH servers, yet Debian’s database marks the entire “openssh” source package as vulnerable, resulting in incorrect vulnerability reports even on systems where only the client is installed.
Moreover, some scanners may flag ancillary information unrelated to security. For instance, they might report updates that don’t concern vulnerabilities, such as timezone data changes or new GPG key additions. These reports pose no security threat and require no immediate action.
In conclusion, Google emphasizes the need to approach dependency scanner reports with caution. False positives can arise for various reasons, and it is essential to verify whether the flagged vulnerability applies to the specific system in question.
