CompTIA CASP+ (CAS-004) — Question 565

A vulnerability scanner detected an obsolete version of an open-source file-sharing application on one of a company's Linux servers. While the software version is no longer supported by the OSS community, the company's Linux vendor backported fixes, applied them for all current vulnerabilities, and agrees to support the software in the future.
Based on this agreement, this finding is BEST categorized as a:

Answer options

• A. true positive.
• B. true negative.
• C. false positive.
• D. false negative.

Correct answer: C

Explanation

The finding is categorized as a false positive because the identified vulnerability is mitigated by the vendor's backported fixes and future support. A true positive would indicate an active threat without remediation, while a true negative would mean no vulnerability exists at all. A false negative would suggest that a vulnerability was not detected when it actually exists, which is not the case here.