That wasn't my experience when I used Snyk at my last job, depending on your definition of FP.
For example, if you're using a multi-protocol networking library, and it says that the version you have installed is has a vulnerability in its SMTP handling, but you don't use the SMTP functionality, is that a FP?
I'd argue that it's irrelevant, but not a false positive.
I never had it get the version of a library wrong.
For example, if you're using a multi-protocol networking library, and it says that the version you have installed is has a vulnerability in its SMTP handling, but you don't use the SMTP functionality, is that a FP?
I'd argue that it's irrelevant, but not a false positive.
I never had it get the version of a library wrong.