From 4b9ee70734b91e5096c6305f520fcb63f88c80e8 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Thu, 21 Jul 2022 06:16:26 -0400
Subject: [PATCH] fixes #4685

---
 .../analyzer/AbstractSuppressionAnalyzer.java |  7 +++-
 .../xml/suppression/SuppressionRule.java      | 39 +++++++++++++++----
 2 files changed, 38 insertions(+), 8 deletions(-)

diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
index 596fcff1d2e..14c130ea2d6 100644
--- a/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
+++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
@@ -113,7 +113,12 @@ protected void analyzeDependency(Dependency dependency, Engine engine) throws An
         if (rules.isEmpty()) {
             return;
         }
-        rules.forEach((rule) -> rule.process(dependency));
+        rules.forEach((rule) -> {
+            rule.process(dependency);
+            if (!rule.isMatched() && !rule.isBase()) {
+                LOGGER.debug("Suppression Rule had zero matches: {}", rule.toString());
+            }
+        });
     }
 
     /**
diff --git a/core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java b/core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java
index 8222ccda21e..fb610dc40b1 100644
--- a/core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java
+++ b/core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java
@@ -103,6 +103,29 @@ public class SuppressionRule {
      */
     private Calendar until;
 
+    /**
+     * A flag whether or not the rule matched a dependency & CPE.
+     */
+    private boolean matched = false;
+
+    /**
+     * Get the value of matched.
+     *
+     * @return the value of matched
+     */
+    public boolean isMatched() {
+        return matched;
+    }
+
+    /**
+     * Set the value of matched.
+     *
+     * @param matched new value of matched
+     */
+    public void setMatched(boolean matched) {
+        this.matched = matched;
+    }
+
     /**
      * Get the (@code{nullable}) value of until.
      *
@@ -467,6 +490,7 @@ public void process(Dependency dependency) {
                 for (PropertyType c : this.cpe) {
                     if (identifierMatches(c, i)) {
                         if (!isBase()) {
+                            matched = true;
                             if (this.notes != null) {
                                 i.setNotes(this.notes);
                             }
@@ -507,7 +531,6 @@ public void process(Dependency dependency) {
                             removeVulns.add(v);
                             break;
                         }
-
                     }
                 }
                 if (!remove) {
@@ -524,13 +547,12 @@ public void process(Dependency dependency) {
                         }
                     }
                 }
-                if (remove) {
-                    if (!isBase()) {
-                        if (this.notes != null) {
-                            v.setNotes(this.notes);
-                        }
-                        dependency.addSuppressedVulnerability(v);
+                if (remove && !isBase()) {
+                    matched = true;
+                    if (this.notes != null) {
+                        v.setNotes(this.notes);
                     }
+                    dependency.addSuppressedVulnerability(v);
                 }
             }
             removeVulns.forEach((v) -> {
@@ -646,6 +668,9 @@ public String toString() {
         if (sha1 != null) {
             sb.append("sha1=").append(sha1).append(',');
         }
+        if (packageUrl != null) {
+            sb.append("packageUrl=").append(packageUrl).append(',');
+        }
         if (gav != null) {
             sb.append("gav=").append(gav).append(',');
         }