I know that the project I am working on is using Python 3.5.2 and I would like to be able to suppress all false positives where the CPE is not equal to:
cpe:/a:python:python:3.5.2
I am having a hard time figuring out how to configure the suppression file to achieve that goal. Cases where I feel to suppression file should be caught are still coming through.
I think the regular expression below covers those cases
cpe:\/a:python:python:(0\..*|1\..*|2\..*|3\.[0-4].*|3\.5\.([0-1]|[3-9]))
For sanity I tested the regular expression below and it appears to be working as expected.
So I created the following suppression file and tested it on my python environment:
dependency-check.sh --project "dep_check" --enableExperimental --suppression "suppress.xml" -s /home/scott/anaconda3/envs/dep_check/
<?xml version="1.0" encoding="UTF-8"?>
<suppress>
<notes><![CDATA[
python versions not equal to 3.5.2
]]></notes>
<cpe regex="true">cpe:\/a:python:python:(0\..*|1\..*|2\..*|3\.[0-4].*|3\.5\.([0-1]|[3-9]))</cpe>
</suppress>
</suppressions>
However I still get false positives coming through such as the following CVE:
However the only vulnerable configurations for this CVE should be python versions 3.4.3 and prior which should be caught by my regular expression.
Can you please advise how I should proceed?
Thanks in advance,
Scott
Vulnerable Software & Versions: (show less)
cpe:/a:python:python:2.7.9 and all previous versions
cpe:/a:python:python:3.0
cpe:/a:python:python:3.0.1
cpe:/a:python:python:3.1.0
cpe:/a:python:python:3.1.1
cpe:/a:python:python:3.1.2
cpe:/a:python:python:3.1.3
cpe:/a:python:python:3.1.4
cpe:/a:python:python:3.1.5
cpe:/a:python:python:3.2.0
cpe:/a:python:python:3.2.1
cpe:/a:python:python:3.2.2
cpe:/a:python:python:3.2.3
cpe:/a:python:python:3.2.4
cpe:/a:python:python:3.2.5
cpe:/a:python:python:3.2.6
cpe:/a:python:python:3.3.0
cpe:/a:python:python:3.3.1
cpe:/a:python:python:3.3.2
cpe:/a:python:python:3.3.3
cpe:/a:python:python:3.3.4
cpe:/a:python:python:3.3.5
cpe:/a:python:python:3.3.6
cpe:/a:python:python:3.4.0
cpe:/a:python:python:3.4.1
cpe:/a:python:python:3.4.2
cpe:/a:python:python:3.4.3