False positive results for vulnerabilities

TeoMoldovanu · ‎22 Nov 2023

A vulnerability might be identified incorrectly. Possible reasons for false positives include:

The extracted information from the software component isn't correct and a wrong library was identified (for example, due to wrong information in the pom.xml file).
The identified version of the library has a version string (or a well-known identifier) that was incorrectly parsed or compared. If you see any false positive results, please open a support ticket to help us improve Application Security monitoring.
A vulnerability in a certain library is only exploitable if used in combination with a particular runtime version, but the application with the library is run using a different runtime version. You can mute the vulnerability for the process groups where a different runtime version is used.
The application uses string caches which might lead to false-positive attacks and code-level vulnerabilities.

For more information on how to identify false positives, query the relevant process for information via API, and mute false positives, see Reported vulnerability is considered as a false positive.