Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Log when non-base suppressions rules are unused #4687

Closed
wants to merge 1 commit into from
Closed

Log when non-base suppressions rules are unused #4687

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
7 changes: 6 additions & 1 deletion core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
View file
Open in desktop
Expand Up @@ -113,7 +113,12 @@ protected void analyzeDependency(Dependency dependency, Engine engine) throws An
if (rules.isEmpty()) {
return;
}
rules.forEach((rule) -> rule.process(dependency));
rules.forEach((rule) -> {
rule.process(dependency);
if (!rule.isMatched() && !rule.isBase()) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Checking for non-usage should be a post-processing activity, as many rules used in a full analysis will not be hit for a specific dependency (as they apply to a different dependency).

Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you. I completely forgot that these could run several times. I'll update this shortly.

LOGGER.debug("Suppression Rule had zero matches: {}", rule.toString());
}
});
}

/**
Expand Down
39 changes: 32 additions & 7 deletions core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java
View file
Open in desktop
Expand Up @@ -103,6 +103,29 @@ public class SuppressionRule {
*/
private Calendar until;

/**
* A flag whether or not the rule matched a dependency & CPE.
*/
private boolean matched = false;

/**
* Get the value of matched.
*
* @return the value of matched
*/
public boolean isMatched() {
return matched;
}

/**
* Set the value of matched.
*
* @param matched new value of matched
*/
public void setMatched(boolean matched) {
this.matched = matched;
}

/**
* Get the (@code{nullable}) value of until.
*
Expand Down Expand Up @@ -467,6 +490,7 @@ public void process(Dependency dependency) {
for (PropertyType c : this.cpe) {
if (identifierMatches(c, i)) {
if (!isBase()) {
matched = true;
if (this.notes != null) {
i.setNotes(this.notes);
}
Expand Down Expand Up @@ -507,7 +531,6 @@ public void process(Dependency dependency) {
removeVulns.add(v);
break;
}

}
}
if (!remove) {
Expand All @@ -524,13 +547,12 @@ public void process(Dependency dependency) {
}
}
}
if (remove) {
if (!isBase()) {
if (this.notes != null) {
v.setNotes(this.notes);
}
dependency.addSuppressedVulnerability(v);
if (remove && !isBase()) {
matched = true;
if (this.notes != null) {
v.setNotes(this.notes);
}
dependency.addSuppressedVulnerability(v);
}
}
removeVulns.forEach((v) -> {
Expand Down Expand Up @@ -646,6 +668,9 @@ public String toString() {
if (sha1 != null) {
sb.append("sha1=").append(sha1).append(',');
}
if (packageUrl != null) {
sb.append("packageUrl=").append(packageUrl).append(',');
}
if (gav != null) {
sb.append("gav=").append(gav).append(',');
}
Expand Down