Problem
When a security scan is performed, it reports back with a high number of false positive security vulnerabilities.
Solution
Supress the false positives with:
<suppress> <notes><![CDATA[newrelic-agent false positives due to the instrumentation package]]></notes> <filePath regex="true">.*newrelic-agent-.*\.jar[\\\/]instrumentation.*\.jar</filePath> <cpe regex="true">.*</suppress>
Cause
The security scan flagged the .jar
files as vulnerable due to the class and method names we use to identify sources for instrumentation. However, our instrumentation code is not part of the vulnerable libraries and the vulnerable libraries do not exist in our .jar
files, which contain only New Relic code.
For more help
If you need more help, check out these support and learning resources:
- Browse the Explorers Hub to get help from the community and join in discussions.
- Find answers on our sites and learn how to use our support portal.
- Run New Relic Diagnostics, our troubleshooting tool for Linux, Windows, and macOS.
- Review New Relic's data security and licenses documentation.