False negative is a case where for some reason vulner didn't report any CVE
for given package although in database there are some CVEs associated with this
package.
Some of the possible reasons are listed below.
Package name in your package manager might be different than package name used
in NVD. E.g. nodejs -> node.js
False positive is a case where vulner reports a particular CVE however it is
not exploitable.
Some of the possible reasons are listed below.
Let's say that there is an upstream patch for given CVE but there is still no new version of package that contains this patch.
In such situation linux distributions usually publish patched revision of the same upstream version.
One wizard once said
Present doesn't mean active. And active doesn't mean exploitable.
It often involves highly sophisticated knowledge to specify conditions under which vulnerability is exploitable. There are cases where although there is a CVE, the vulnerability can't be exploited.
For example:
- vulnerability is exploitable only if given package was compiled with some
USEflag: e.g. this SELinux + sudo case - vulnerability can be exploited only when package is configured in specific
way: e.g. this
sudocase - vulnerability exists only for specific distribution: e.g. Debian/OpenSSL Fiasco from 2006
- not exploitable because of implementation of C standard library used by given OS: e.g. polkit case for Solaris
- only client side of package is affected, where server side is not: e.g. this OpenSSH example