add a documentation guide to fix false positive reports

[Simulant87]

I love this project and would like to give something back by fixing some of the open false positive reports. But I don't know where to start.

I would expect that fixing a false positive would be comparing if a certain dependency in combination with a CVE was found and excluding it from the result, comparable to the suppression functionality.

I would like to see a guide (e.g. added to the contribution guide or in the documentation on the website) on how to fix a false positive as contribution to this project. I hope that more developers (including myself) would be enabled to contribute simple fixes to false positives to the main project. Instead of just reporting a false positive more and more would be able to provide a PR to fix the false positive.

[valentijnscholten]

+1, happy to help.

[jeremylong]

In most cases working on the false positives is 100% documented here: https://jeremylong.github.io/DependencyCheck/general/suppression.html

The difference is instead of creating your own suppression.xml - you would contribute a PR to the base suppression file: https://github.com/jeremylong/DependencyCheck/blob/main/core/src/main/resources/dependencycheck-base-suppression.xml

In a few cases it is more complicated - such as jeremylong/DependencyCheck#1437. But a majority of the time it is a simple mis-identification and just needs a simple suppression rule added.

[valentijnscholten]

Ok, thanks. The main reason I commented was because I vaguely remembered something around grouping of dependencies or getting dependency check to recognize a certain library as part of a bigger framework i.e. Spring.
Turns out this involved https://github.com/jeremylong/DependencyCheck/blob/main/core/src/main/resources/dependencycheck-base-hint.xml which I think now I look at it again also pretty clear on how to use it / update it.

[jeremylong]

The hint analyzer is generally used when a false negative is identified (i.e. dependency-check did not correctly identify a library).