• /
  • Log in
  • Free account

Large number of false positive security vulnerabilities

Problem

When a security scan is performed, it reports back with a high number of false positive security vulnerabilities.

Cause

The security scan flagged the jar files as vulnerable due to the class and method names we use to identify sources for instrumentation. However, the jar files only contain New Relic instrumentation code.

Solution

Suppress the false positive warnings coming from the instrumentation package in the newrelic.jar with your scanning tool.

For example, false positives discovered by the DependencyCheck project at github.com/jeremylong/DependencyCheck can be suppressed with:

<suppress>
<notes><![CDATA[newrelic-agent false positives due to the instrumentation package]]></notes>
<filePath regex="true">.*newrelic-agent-.*\.jar[\\\/]instrumentation.*\.jar</filePath>
<cpe regex="true">.*
</suppress>

Consult your security scan vendor for the appropriate configuration to suppress false positives.

For more help

If you need more help, check out these support and learning resources:

Create issueEdit page
Copyright © 2021 New Relic Inc.