Clarification on suppressions

Sébastien Barbereau

unread,

Nov 22, 2017, 5:32:56 AM11/22/17

to Dependency Check

Hi

for my understanding: how are the suppressiosn handled. For example, for example if I take the below suppression of the documentation:

<suppress>
<notes><![CDATA[
This suppresses false positives identified on spring security.
]]></notes>
<gav regex="true">org\.springframework\.security:spring.*</gav>
<cpe>cpe:/a:vmware:springsource_spring_framework</cpe>
<cpe>cpe:/a:springsource:spring_framework</cpe>
<cpe>cpe:/a:mod_security:mod_security</cpe>
</suppress>

Does this example suppress any reporting on vulnerabilities that:

- match ALL the criterias (so GAV & 3 CPE) or

- match GAV & 1 of 3 CPE

Thanks,

Hans Aikema

unread,

Nov 22, 2017, 5:45:09 AM11/22/17

to Sébastien Barbereau, Dependency Check

Sébastien,

The mentioned snippet suppresses “all vulnerabilities registered against any of the listed cpe’s” for dependencies that match the given gav.

The gav is used for matching, and if it matches the suppression rules suppress the recognition of that gav as any of the listed cpe’s.

The cpe-based suppression is to be used if the analysis makes a false-positive link to some product.

See also the XSD for the suppressions file:

https://github.com/jeremylong/DependencyCheck/blob/master/dependency-check-core/src/main/resources/schema/suppression.xsd

The first choice within the suppress element determines the matching criteria (filepath/sha1/gav) and the second the items that are to be suppressed (cpe/cve/cwe/cvssBelow)

Regards,

Hans Aikema

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Jeremy Long

unread,

Nov 22, 2017, 6:24:29 AM11/22/17

to Hans Aikema, Sébastien Barbereau, Dependency Check

I would also recommend reading the documentation page on suppressing false positives.

--Jeremy

Hans Aikema

To unsubscribe from this group and stop receiving emails from it, send an email to dependency-check+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to the Google Groups "Dependency Check" group.

To unsubscribe from this group and stop receiving emails from it, send an email to dependency-check+unsubscribe@googlegroups.com.

Sébastien Barbereau

unread,

Nov 22, 2017, 3:01:11 PM11/22/17

to Dependency Check

Thanks both for feedback.

It does clarify the point.

Hans Aikema

To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.

To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.

Reply all

Reply to author

Forward