Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(FP): Several FPs not suitable for our automation #5504

Merged
merged 8 commits into from
Feb 27, 2023
Merged

fix(FP): Several FPs not suitable for our automation #5504

merged 8 commits into from
Feb 27, 2023

Conversation

aikebah
Copy link
Collaborator

@aikebah aikebah commented Feb 25, 2023
edited

Fixed Issues: see the linked tickets

Description of Change

FP suppressions for which either the automation could not run, or the automation yields an inappropriate suppression

Have test cases been added to cover the new functionality?

no

@boring-cyborg boring-cyborg bot added the core changes to core label Feb 25, 2023
@aikebah aikebah linked an issue Feb 25, 2023 that may be closed by this pull request
[FP]: json-java CVE flagged for multiple unrelated Java JSON projects #5502
Closed
This was linked to issues Feb 25, 2023
[FP]: vy/flatbuffers(https://github.com/vy/flatbuffers) is not hughsk flat(https://github.com/hughsk/flat) #5454
Closed
[FP]: False Positive for cross-platform-appiancorp-json-parser-java.jar #4993
Closed
@aikebah aikebah linked an issue Feb 25, 2023 that may be closed by this pull request
[FP]: jaxb-core detected as Java_SE #5485
Closed
@aikebah aikebah linked an issue Feb 25, 2023 that may be closed by this pull request
[FP]: Apache Calcite Avatica #5489
Closed
@aikebah aikebah linked an issue Feb 25, 2023 that may be closed by this pull request
[FP]: apollographql flagged with cpe:2.3:a:apollo_project:apollo:2.5.6:*:*:*:*:*:*:* #5381
Closed
@aikebah aikebah marked this pull request as ready for review February 26, 2023 14:18
@aikebah
Copy link
Collaborator Author

aikebah commented Feb 26, 2023

@jeremylong given the amount of libraries hit by #5502 I think it would be good to get an 8.1.1 release out when this PR is integrated

@adam-siklosi
Copy link

Hi @aikebah

When I saw the release notes for #4723 I thought the age of updating DependencyCheck version for false positive suppressions is over.
Was that a misunderstanding from my side or you are still working on some aspect of this feature?

Thanks!
Adam

@aikebah
Copy link
Collaborator Author

aikebah commented Feb 27, 2023

@adam-siklosi Not all suppressions are feasible for the automation. The automation is allowing most suppressions (the simple ones - single library, improper CPE - which is the majority of the FP reports) to have a much faster roundtrip time without a need to release (simple suppressions for one library can be handled by automation to be pushed to the published suppressions).
The more complex ones are still only processed in regular development. There is no automation in place to process manual additions to published suppressions.

@jeremylong
Copy link
Owner

@aikebah I'll release the new version shortly.

@jeremylong jeremylong added this to the 8.1.1 milestone Feb 27, 2023
@jeremylong jeremylong merged commit c0b2c0b into main Feb 27, 2023
@jeremylong jeremylong deleted the fp-fixes branch February 27, 2023 11:44
@FloEberle FloEberle mentioned this pull request Feb 27, 2023
Closed
@Marcono1234
Copy link
Contributor

@aikebah, in cases where automation cannot create the suppression, would it not be possible to create the pull request manually against the generatedSuppressions branch (or manually edit the bot generated suppression as it was done in #5122 (comment))?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jeremylong jeremylong jeremylong approved these changes

Assignees
No one assigned
Labels
core changes to core
Projects
None yet
Milestone
8.1.1
4 participants
@aikebah @adam-siklosi @jeremylong @Marcono1234