Suppressing False Positives
547 views
Skip to first unread message
Alex B
Dec 16, 2020, 9:31:14 AM12/16/20
to Dependency Check
Hi there!
I'm using Dependency-Check integrated into Jenkins, as can been seen in the image bellow.
I'm trying to mark some itens as false positive.
I'm following the intrunctions in the documentation, where it says "...clicking the suppression button will create a dialogue box which you can simple hit Control-C to copy the XML that you would place into a suppression XML file"
The fact is that I can't find this 'suppression button'.
Can anyone help me, please?
Alex B
Dec 16, 2020, 9:33:17 AM12/16/20
to Dependency Check
Hans Aikema
Dec 16, 2020, 4:34:00 PM12/16/20
to Alex B, Dependency Check
Alex,
the quote you cite is from the OWASP Dependency Check project documentation, but the screenshots are from the OWASP Dependency Check Jenkins Plugin results page.
The suppress button is in the HTML report of OWASP Dependency Check, which is something different from the Jenkins-plugin’s vulnerabilties information dashboard.
To use the described button you have to customise the Jenkins Dependency Check plugin configuration to also generate the HTML report. By default it only creates the XML report which it uses to render the results in the ‘publish results’ action. To configure both the XML-format (used by the plugin) and HTML-format (for your ease of suppression generation) you would supply as parameters:
--format XML --format HTML
You then need to browse to the workspace of the project, DOWNLOAD the HTML report to your local disk (in-Jenkins rendering of the HTML report renders the Javascript unusable due to the Jenkins XSS prevention measures used when Jenkins renders an HTML file) and open the downloaded file with your browser.
NOTE: The OWASP Dependency Check Jenkins plugin is a separate project and is currently looking for maintainers. So if you depend on it you may want to try and find capable and willing people in your network to apply for the maintainer position and ensure maintenance of it in the long run.
Refer to the plugin’s page (https://plugins.jenkins.io/dependency-check-jenkins-plugin/) and Jenkins’ adopt-a-plugin page (https://www.jenkins.io/doc/developer/plugin-governance/adopt-a-plugin/) for more info
kind regards,
Hans
> On 16 Dec 2020, at 15:33, Alex B <alexandr...@gmail.com> wrote:
>
> <DC_Jenkins.png>
>
> On Wednesday, December 16, 2020 at 11:31:14 AM UTC-3 Alex B wrote:
> Hi there!
>
> I'm using Dependency-Check integrated into Jenkins, as can been seen in the image bellow.
>
>
>
> You received this message because you are subscribed to the Google Groups "Dependency Check" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/dependency-check/a86c6d17-d461-4ec5-b967-f0deee1708fdn%40googlegroups.com.
> <DC_Jenkins.png>
the quote you cite is from the OWASP Dependency Check project documentation, but the screenshots are from the OWASP Dependency Check Jenkins Plugin results page.
The suppress button is in the HTML report of OWASP Dependency Check, which is something different from the Jenkins-plugin’s vulnerabilties information dashboard.
To use the described button you have to customise the Jenkins Dependency Check plugin configuration to also generate the HTML report. By default it only creates the XML report which it uses to render the results in the ‘publish results’ action. To configure both the XML-format (used by the plugin) and HTML-format (for your ease of suppression generation) you would supply as parameters:
--format XML --format HTML
You then need to browse to the workspace of the project, DOWNLOAD the HTML report to your local disk (in-Jenkins rendering of the HTML report renders the Javascript unusable due to the Jenkins XSS prevention measures used when Jenkins renders an HTML file) and open the downloaded file with your browser.
NOTE: The OWASP Dependency Check Jenkins plugin is a separate project and is currently looking for maintainers. So if you depend on it you may want to try and find capable and willing people in your network to apply for the maintainer position and ensure maintenance of it in the long run.
Refer to the plugin’s page (https://plugins.jenkins.io/dependency-check-jenkins-plugin/) and Jenkins’ adopt-a-plugin page (https://www.jenkins.io/doc/developer/plugin-governance/adopt-a-plugin/) for more info
kind regards,
Hans
> On 16 Dec 2020, at 15:33, Alex B <alexandr...@gmail.com> wrote:
>
> <DC_Jenkins.png>
>
> On Wednesday, December 16, 2020 at 11:31:14 AM UTC-3 Alex B wrote:
> Hi there!
>
> I'm using Dependency-Check integrated into Jenkins, as can been seen in the image bellow.
>
>
>
> I'm trying to mark some itens as false positive.
>
> I'm following the intrunctions in the documentation, where it says "...clicking the suppression button will create a dialogue box which you can simple hit Control-C to copy the XML that you would place into a suppression XML file"
>
> The fact is that I can't find this 'suppression button'.
>
> Can anyone help me, please?
>
> --
>
> I'm following the intrunctions in the documentation, where it says "...clicking the suppression button will create a dialogue box which you can simple hit Control-C to copy the XML that you would place into a suppression XML file"
>
> The fact is that I can't find this 'suppression button'.
>
> Can anyone help me, please?
>
> You received this message because you are subscribed to the Google Groups "Dependency Check" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/dependency-check/a86c6d17-d461-4ec5-b967-f0deee1708fdn%40googlegroups.com.
> <DC_Jenkins.png>
Alex B
Dec 17, 2020, 6:15:16 AM12/17/20
to Dependency Check
Hans,
Thank you very much for your attention.
I'm going to try to follow your instructions .
Kind regards,
Alex
Alex B
Dec 17, 2020, 9:52:52 AM12/17/20
to Dependency Check
Hans,
One more doubt: if I use Dependency-Check integrated into SonarQube I will have the same issue with the false positive that I had with Jenkings?
In other words, I'm considering using Dependency-Check with SonarQube instead of Jenkins into my CI/CD pipeline.
What would you recommend?
Thank's in advance.
Kind regards,
Alex
Hans Aikema
Dec 17, 2020, 12:28:43 PM12/17/20
to Alex B, Dependency Check
Alex,
Dependency-Check plugin of SonarQube imports a DependencyCheck report. It does not run the analysis.
As long as you ensure that you have an appropriate suppression filter in place that will be reflected in the report and therefor be reflected in the results that end up in SonarQube (will only create issues for the ones that are not suppressed)
You still need something in your project to RUN the DependencyCheck analysis, either the Jenkins plugin (as a post-build step executed before a post-build Sonar Analysis) or as part of your build process (plugins available for ant, maven, gradle, sbt or using the CLI scanner for other build automations)
The best option is to use the plugins of whatever build framework you use.
So when using maven as the build framework use the maven-plugin of dependency-check and the maven-plugin of SonarQube. When using gradle use the gradle-plugin of DependencyCheck and the gradle plugin of SonarQube etc..
The build-framework specific plugins typically do a better job than their CLI counter-parts (or plugins of other build frameworks)
A nice blog on using SQ / DC and Jenkins together for the Maven build tooling case I found on the Amis website, which also stresses that you should preferably use the plugins of your build tool even highlighting some of the bad results you can expect when using the CLI-scanner (first results screenshot, a significant number of FPs for falsely detecting their project as spring-boot version 0.0.1-SNAPSHOT based on name-similarity with their project (spring-boot-demo)):
https://technology.amis.nl/2020/10/16/jenkins-pipeline-sonarqube-and-the-owasp-dependency-check/
kind regards,
Hans
> To view this discussion on the web visit https://groups.google.com/d/msgid/dependency-check/dc26cccf-1cd4-4966-ac75-712ae8dfc41dn%40googlegroups.com.
Dependency-Check plugin of SonarQube imports a DependencyCheck report. It does not run the analysis.
As long as you ensure that you have an appropriate suppression filter in place that will be reflected in the report and therefor be reflected in the results that end up in SonarQube (will only create issues for the ones that are not suppressed)
You still need something in your project to RUN the DependencyCheck analysis, either the Jenkins plugin (as a post-build step executed before a post-build Sonar Analysis) or as part of your build process (plugins available for ant, maven, gradle, sbt or using the CLI scanner for other build automations)
The best option is to use the plugins of whatever build framework you use.
So when using maven as the build framework use the maven-plugin of dependency-check and the maven-plugin of SonarQube. When using gradle use the gradle-plugin of DependencyCheck and the gradle plugin of SonarQube etc..
The build-framework specific plugins typically do a better job than their CLI counter-parts (or plugins of other build frameworks)
A nice blog on using SQ / DC and Jenkins together for the Maven build tooling case I found on the Amis website, which also stresses that you should preferably use the plugins of your build tool even highlighting some of the bad results you can expect when using the CLI-scanner (first results screenshot, a significant number of FPs for falsely detecting their project as spring-boot version 0.0.1-SNAPSHOT based on name-similarity with their project (spring-boot-demo)):
https://technology.amis.nl/2020/10/16/jenkins-pipeline-sonarqube-and-the-owasp-dependency-check/
kind regards,
Hans
Alex B
Dec 18, 2020, 10:17:14 AM12/18/20
to Dependency Check
Hans,
Once again, thank you very much for your kind and informative answer.
It was really helpful.
Kind regards,
Alex
Reply all
Reply to author
Forward
0 new messages