Log when non-base suppressions rules are unused #4709
Conversation
…ple times we can track if a rule was used
boring-cyborg
bot
added
ant
|
Need to get my head around the why, but it appears to break the suppression of 83e0f64 causing integration-test 629 to fail as cbor gets bundled with ion as the CVE is no longer suppressed for ion |
|
I've been off and on looking at this as time permits - I haven't been able to figure out why this PR breaks 629 and does not suppress the CVE for ion... |
Added a few pieces of targeted debugging and finally got around the root-cause... the singleton is reused in CPESuppressionAnalyzer and VulnerabilitySuppressionAnalyzer, so rather that 55 CVE suppressions + 3 vulnerabilityName suppressions the VulnerabilitySuppressionAnalyzer runs with the same 508 CPE suppression rules that the CPESuppressionAnalyzer uses The base suppressions have 560 rules, 49 contain only CVEs, 3 only vulnerabiltyNames, 502 only CPE and 6 a mixture of CPE and CVE. So out of the 58 rules that VulnerabilitySuppressionAnalyzer should take into account only the 6 that also have CPE suppressions are taken into account. So filtering out the applicable rules needs to move from rules-loading to suppression processing evaluation or we need separate CPE and vulnerabilitySuppression ruleset singletons. |
Bumps ossindex-service-client from 1.8.1 to 1.8.2. --- updated-dependencies: - dependency-name: org.sonatype.ossindex:ossindex-service-client dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
This extends the existing regex to also cover all Quarkus Liquibase artifacts. See https://regex101.com/r/2xOJwo/1 for a regex test. Fixes #4630
Co-authored-by: Hans Aikema <aikebah-github@aikebah.net>
Bumps [maven-reporting-api](https://github.com/apache/maven-reporting-api) from 3.1.0 to 3.1.1. - [Release notes](https://github.com/apache/maven-reporting-api/releases) - [Commits](apache/maven-reporting-api@maven-reporting-api-3.1.0...maven-reporting-api-3.1.1) --- updated-dependencies: - dependency-name: org.apache.maven.reporting:maven-reporting-api dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [postgresql](https://github.com/pgjdbc/pgjdbc) from 42.4.0 to 42.4.1. - [Release notes](https://github.com/pgjdbc/pgjdbc/releases) - [Changelog](https://github.com/pgjdbc/pgjdbc/blob/master/CHANGELOG.md) - [Commits](pgjdbc/pgjdbc@REL42.4.0...REL42.4.1) --- updated-dependencies: - dependency-name: org.postgresql:postgresql dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [maven-site-plugin](https://github.com/apache/maven-site-plugin) from 3.12.0 to 3.12.1. - [Release notes](https://github.com/apache/maven-site-plugin/releases) - [Commits](apache/maven-site-plugin@maven-site-plugin-3.12.0...maven-site-plugin-3.12.1) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-site-plugin dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
yarnAuditAnalyzer cannot be enabled if we don't have yarn.lock is added to mixedLangSet.
…encyCheckMojo.java
core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
Outdated
Show resolved
Hide resolved
core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
Outdated
Show resolved
Hide resolved
core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java
Outdated
Show resolved
Hide resolved
…SuppressionAnalyzer.java Co-authored-by: Hans Aikema <aikebah-github@aikebah.net>
…SuppressionAnalyzer.java Co-authored-by: Hans Aikema <aikebah-github@aikebah.net>
Supersedes #4687
Fixes #4685
This might be useful to some - a log message has been added when a non-base suppression rule was not used.