How to suppress for a set of CPE based on regex

[Scott Marsh]

I know that the project I am working on is using Python 3.5.2 and I would like to be able to suppress all false positives where the CPE is not equal to:

cpe:/a:python:python:3.5.2

I am having a hard time figuring out how to configure the suppression file to achieve that goal.  Cases where I feel to suppression file should be caught are still coming through.

I think the regular expression below covers those cases

cpe:\/a:python:python:(0\..*|1\..*|2\..*|3\.[0-4].*|3\.5\.([0-1]|[3-9]))

For sanity I tested the regular expression below and it appears to be working as expected.

https://regex101.com/r/xV5oji/1

So I created the following suppression file and tested it on my python environment:

dependency-check.sh --project "dep_check" --enableExperimental --suppression "suppress.xml" -s /home/scott/anaconda3/envs/dep_check/

<?xml version="1.0" encoding="UTF-8"?>

<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">

   <suppress>

     <notes><![CDATA[

     python versions not equal to 3.5.2

     ]]></notes>

     <cpe regex="true">cpe:\/a:python:python:(0\..*|1\..*|2\..*|3\.[0-4].*|3\.5\.([0-1]|[3-9]))</cpe>

   </suppress>

</suppressions>

   

However I still get false positives coming through such as the following CVE:

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5699

However the only vulnerable configurations for this CVE should be python versions 3.4.3 and prior which should be caught by my regular expression.

Can you please advise how I should proceed?

Thanks in advance,

Scott

Vulnerable Software & Versions: (show less)

cpe:/a:python:python:2.7.9 and all previous versions

cpe:/a:python:python:3.0

cpe:/a:python:python:3.0.1

cpe:/a:python:python:3.1.0

cpe:/a:python:python:3.1.1

cpe:/a:python:python:3.1.2

cpe:/a:python:python:3.1.3

cpe:/a:python:python:3.1.4

cpe:/a:python:python:3.1.5

cpe:/a:python:python:3.2.0

cpe:/a:python:python:3.2.1

cpe:/a:python:python:3.2.2

cpe:/a:python:python:3.2.3

cpe:/a:python:python:3.2.4

cpe:/a:python:python:3.2.5

cpe:/a:python:python:3.2.6

cpe:/a:python:python:3.3.0

cpe:/a:python:python:3.3.1

cpe:/a:python:python:3.3.2

cpe:/a:python:python:3.3.3

cpe:/a:python:python:3.3.4

cpe:/a:python:python:3.3.5

cpe:/a:python:python:3.3.6

cpe:/a:python:python:3.4.0

cpe:/a:python:python:3.4.1

cpe:/a:python:python:3.4.2

cpe:/a:python:python:3.4.3

[Jeremy Long]

Sorry for the delayed reply. It is likely that all CPEs for python should be suppressed for the project. Those CPEs are for the core environment. Enhancements for this issue are being tracked in the open issue: https://github.com/jeremylong/DependencyCheck/issues/694

--Jeremy