Skip to content

Reliability#

The Reliability of a FutureVuls task indicates how reliably the vulnerability was detected.

In FutureVuls, reliability is determined based on the Confidence score assigned by OSS Vuls, as shown below.

flowchart TD
    A["OSS Vuls detects a vulnerability"] --> B["Assigns Confidence to<br>the Detection Method"]
    B --> C{"Check the Confidence value"}
    C -- "1 < Confidence ≤ 10" --> D["Reliability: Low ⚠️<br>(Potential for false positives)"]
    C -- "10 < Confidence ≤ 100" --> E["Reliability: High ✓"]
  • During the OSS Vuls scanning process, a Confidence value from 1 to 100 is assigned to each Detection Method.
  • When detecting a vulnerability, OSS Vuls assigns a Detection Method to it.
  • In FutureVuls, the reliability is determined by the Confidence value corresponding to the assigned Detection Method.
    • If 1 < Confidence <= 10: "Reliability: Low"
    • If 10 < Confidence <= 100: "Reliability: High"

How Reliability is Displayed#

In the Reliability column of the Tasks tab, the reliability is indicated as follows:

  • ✓: "Reliability: High"
  • !: "Reliability: Low"

Additionally, the task detail view shows the following:

  • The detection method assigned by OSS Vuls to the vulnerability, along with its corresponding Confidence value.
  • An alert for potential false positives (only when the reliability is Low).

Reliability display location

Specific Detection Methods Judged as High/Low Reliability#

Based on the OSS Vuls documentation, this section details the specific detection methods judged as Low Reliability and High Reliability.

Detection Methods Considered Low Reliability#

The three detection methods considered "Low Reliability" are listed below; all are used in CPE scanning.

Detection Method Description
NvdVendorProductMatch - Used when a vulnerability is found based on NVD data without CPE version information.
- This is assigned when a vulnerability is found for a CPE registered without specifying a version, such as cpe:/a:microsoft:edge.
FortinetVendorProductMatch Used when a vulnerability is found via the Fortinet data source without CPE version information.
JvnVendorProductMatch Used when a CPE-related vulnerability is not found in the NVD or Fortinet data sources and is detected only via JVN. The JVN detection process cannot perform version range comparisons, so all items matching the defined CPE's Part, Vendor, and Product are detected. For this reason, it is judged as Low Reliability.

Detection Methods Considered High Reliability#

  • For scanning methods other than CPE scan:
    • These are judged as "Reliability: High".
  • For CPE scan:
    • If a detection method other than those listed in the Detection Methods Considered Low Reliability section is assigned, it is judged as "Reliability: High".
    • An example of a CPE scan detection method that results in "Reliability: High" is NvdExactVersionMatch. NvdExactVersionMatch is a detection method assigned when the CPE matches using semantic version comparison or is an exact match.
    • When a vulnerability is detected for a CPE with a specified version, such as cpe:2.3:a:microsoft:edge_chromium:118.0.2088.88:*:*:*:*:*:*:* (corresponding NVD page), NvdExactVersionMatch is assigned.

How to Handle Low-Confidence Vulnerabilities#

If the reliability is low, false positives are more likely. Therefore, we recommend verifying whether it is a false positive. To determine whether a low-reliability task is a false positive, verify the details using primary vulnerability sources, distribution support pages, and the links in the References section. If you confirm there is no impact, you can hide the task and change its status to "NOT_AFFECTED".