New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Log when non-base suppressions rules are unused #4709
Conversation
…ple times we can track if a rule was used
Need to get my head around the why, but it appears to break the suppression of 83e0f64 causing integration-test 629 to fail as cbor gets bundled with ion as the CVE is no longer suppressed for ion |
I've been off and on looking at this as time permits - I haven't been able to figure out why this PR breaks 629 and does not suppress the CVE for ion... |
Added a few pieces of targeted debugging and finally got around the root-cause... the singleton is reused in CPESuppressionAnalyzer and VulnerabilitySuppressionAnalyzer, so rather that 55 CVE suppressions + 3 vulnerabilityName suppressions the VulnerabilitySuppressionAnalyzer runs with the same 508 CPE suppression rules that the CPESuppressionAnalyzer uses
The base suppressions have 560 rules, 49 contain only CVEs, 3 only vulnerabiltyNames, 502 only CPE and 6 a mixture of CPE and CVE. So out of the 58 rules that VulnerabilitySuppressionAnalyzer should take into account only the 6 that also have CPE suppressions are taken into account. So filtering out the applicable rules needs to move from rules-loading to suppression processing evaluation or we need separate CPE and vulnerabilitySuppression ruleset singletons. |
Bumps ossindex-service-client from 1.8.1 to 1.8.2. --- updated-dependencies: - dependency-name: org.sonatype.ossindex:ossindex-service-client dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
This extends the existing regex to also cover all Quarkus Liquibase artifacts. See https://regex101.com/r/2xOJwo/1 for a regex test. Fixes #4630
Co-authored-by: Hans Aikema <aikebah-github@aikebah.net>
Bumps [maven-reporting-api](https://github.com/apache/maven-reporting-api) from 3.1.0 to 3.1.1. - [Release notes](https://github.com/apache/maven-reporting-api/releases) - [Commits](apache/maven-reporting-api@maven-reporting-api-3.1.0...maven-reporting-api-3.1.1) --- updated-dependencies: - dependency-name: org.apache.maven.reporting:maven-reporting-api dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [postgresql](https://github.com/pgjdbc/pgjdbc) from 42.4.0 to 42.4.1. - [Release notes](https://github.com/pgjdbc/pgjdbc/releases) - [Changelog](https://github.com/pgjdbc/pgjdbc/blob/master/CHANGELOG.md) - [Commits](pgjdbc/pgjdbc@REL42.4.0...REL42.4.1) --- updated-dependencies: - dependency-name: org.postgresql:postgresql dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [maven-site-plugin](https://github.com/apache/maven-site-plugin) from 3.12.0 to 3.12.1. - [Release notes](https://github.com/apache/maven-site-plugin/releases) - [Commits](apache/maven-site-plugin@maven-site-plugin-3.12.0...maven-site-plugin-3.12.1) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-site-plugin dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
yarnAuditAnalyzer cannot be enabled if we don't have yarn.lock is added to mixedLangSet.
…encyCheckMojo.java
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, some minor improvements requested
core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
Outdated
Show resolved
Hide resolved
core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
Outdated
Show resolved
Hide resolved
core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java
Outdated
Show resolved
Hide resolved
…SuppressionAnalyzer.java Co-authored-by: Hans Aikema <aikebah-github@aikebah.net>
…SuppressionAnalyzer.java Co-authored-by: Hans Aikema <aikebah-github@aikebah.net>
Supersedes #4687
Fixes #4685
This might be useful to some - a log message has been added when a non-base suppression rule was not used.