Suppression with multiple CVE tags will not output as unmatched when there is at least one other CVE that does match #4841

Jurrie · 2022-09-13T11:24:57Z

Describe the bug
Since #4685 the unmatched suppression rules are outputted. I think there is a bug in this logic. When a suppression is listed with multiple CVEs, where 1 CVE will not match, there is no output if there is at least one other CVE that is matched.

Version of dependency-check used
The problem occurs using version 7.1.2 of the maven plugin.

To Reproduce
Steps to reproduce the behavior:

Download https://jurr.org/owasp_dependency_check/zero_matches_suppression_rules_bug.zip
Unzip
Read README.txt

Expected behavior
See the README.txt contained in the zip file.

chadlwilson · 2022-10-06T05:57:06Z

To consider for this enhancement that a single rule can contain a variety of different suppression types, e.g both <cve> and <vulnerabilityName> to cover the same things being raised against multiple sources.

Example: https://github.com/gocd/gocd/blob/3afd89a219ce5331080dbd1e0f3cda439eb17b02/buildSrc/dependency-check-suppress.xml#L265-L280

Jurrie added the bug label Sep 13, 2022

aikebah added enhancement and removed bug labels Sep 14, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Suppression with multiple CVE tags will not output as unmatched when there is at least one other CVE that does match #4841

Suppression with multiple CVE tags will not output as unmatched when there is at least one other CVE that does match #4841

Jurrie commented Sep 13, 2022

chadlwilson commented Oct 6, 2022

Suppression with multiple CVE tags will not output as unmatched when there is at least one other CVE that does match #4841

Suppression with multiple CVE tags will not output as unmatched when there is at least one other CVE that does match #4841

Comments

Jurrie commented Sep 13, 2022

chadlwilson commented Oct 6, 2022