Suppression File doesn't appear to work

[James Lorenzen]

As I stated in my previous post, I'm pretty new to the dependency-check plugin. I'm trying to suppress some vulnerabilities that don't impact our project and the suppressionFiles configuration doesn't appear to impact the results. I'm using version 2.1.1 of the plugin with maven 3.5.0.

Here is the snippet from my POM.xml file:

<plugin>
    <groupId>org.owasp</groupId>
    <artifactId>dependency-check-maven</artifactId>
    <version>2.1.1</version>
    <configuration>
        <cveValidForHours>12</cveValidForHours>
        <failBuildOnAnyVulnerability>true</failBuildOnAnyVulnerability>
        <suppressionFiles>
            <suppressionFile>project-suppression.xml</suppressionFile>
        </suppressionFiles>
    </configuration>
    <executions>
        <execution>
            <goals>
                <goal>check</goal>
            </goals>
        </execution>
    </executions>
</plugin>

And here is my project-suppression.xml file with contents that I copied from the HTML report:

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
    <suppress>
        <notes><![CDATA[
   file name: logback-json-core-0.1.5.jar
   ]]></notes>
        <gav regex="true">^ch\.qos\.logback\.contrib:logback-json-core:.*$</gav>
        <cpe>cpe:/a:logback:logback</cpe>
    </suppress>
</suppressions>

What am I missing?

[Hans Aikema]

James,

You are suppressing the detection of logback-json-core as the logback project, but you’re not suppressing the detection of logback-core (a transitive dependency of logback-json-core) as the logback project.

Your build is now failing because dependency-check sees a (transitive) dependency on the logback-core vulnerable library. In the (collapsed) Suppressed Vulnerabilities at the bottom of the HTML-report you can see that for logback-json-core the vulnerability was indeed properly suppressed.

BTW a better way of suppressing the given vulnerability (after determining that it is not applicable to your project) is to suppress by CVE…. that way other vulnerabilities in logback (should they exist and be discovered sometime in the future) will still be reported.

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
<suppress>
<notes><![CDATA[
file name: logback-json-core-0.1.5.jar
]]></notes>
<gav regex="true">^ch\.qos\.logback\.contrib:logback-json-core:.*$</gav>

<cve>CVE-2017-5929</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: logback-core-1.1.3.jar
]]></notes>
<gav regex="true">^ch\.qos\.logback:logback-core:.*$</gav>
<cve>CVE-2017-5929</cve>
</suppress>
</suppressions>


regards,
Hans Aikema