How to suppress vulnerabilities found in META-INF pom.xml

[Qudosoft]

Hey folks,

is there a possibility to suppress a vulnerability that was found in a META-INF pom.xml file only for that specific JAR file the pom.xml is contained in and not the vulnerable CPE?
In our case its net.sf.echache.ehcache-2.10.4 which contains pom.xmls that reference a vulnerable Jetty version, however Jetty is not on the classpath.
We would like to suppress these vulnerabilities for ehcache only and not for Jetty in general.

We tried setting the GAV to ehcache but that doesn't work.

 <suppress>
     <notes><![CDATA[
file name: ehcache-2.10.4.jar\rest-management-private-classpath/META-INF/maven/org.eclipse.jetty/jetty-continuation/pom.xml
]]></notes>
     <gav regex="true">^net\.sf\.ehcache:.*$</gav>
     <cpe>cpe:/a:eclipse:jetty</cpe>
     <cpe>cpe:/a:jetty:jetty</cpe>
 </suppress>

Setting GAV to org\.eclipse\.jetty worked but this is not ideal as a later introduction of Jetty in the classpath will lead to false negatives.

Thanks,
Alexander

[Jim Sellers]

I'm having this exact issue too.

[Jeremy Long]

I believe the following would work:

<filePath regex="true">.*\bMETA-INF\b.*jetty-continuation.*</filePath>

[Jim Sellers]

That filePath goes in the <suppress> tag?

I’ll try this after the holidays. Thank you.

Jim

On Fri, Dec 22, 2017 at 7:14 AM Jeremy Long <jerem...@gmail.com> wrote:

I believe the following would work:

<filePath regex="true">.*\bMETA-INF\b.*jetty-continuation.*</filePath>

--
You received this message because you are subscribed to a topic in the Google Groups "Dependency Check" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/dependency-check/FjzKZ-SUqBY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to dependency-che...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Jeremy Long]

Yes, the filePath is one of the types of suppression rules. See https://jeremylong.github.io/DependencyCheck/general/suppression.html

--Jeremy

[Alexander von Buchholtz]

Thanks Jeremy that did the trick!

 

Would this be something helpful for others to add to the documentation?

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.