From 47f5f5ad8cd635c6a7d8aff13c13fcfb09b4edb5 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Thu, 21 Jul 2022 06:16:26 -0400
Subject: [PATCH 01/25] fixes #4685

---
 .../analyzer/AbstractSuppressionAnalyzer.java |  7 +++-
 .../xml/suppression/SuppressionRule.java      | 39 +++++++++++++++----
 2 files changed, 38 insertions(+), 8 deletions(-)

diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
index 596fcff1d2e..14c130ea2d6 100644
--- a/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
+++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
@@ -113,7 +113,12 @@ protected void analyzeDependency(Dependency dependency, Engine engine) throws An
         if (rules.isEmpty()) {
             return;
         }
-        rules.forEach((rule) -> rule.process(dependency));
+        rules.forEach((rule) -> {
+            rule.process(dependency);
+            if (!rule.isMatched() && !rule.isBase()) {
+                LOGGER.debug("Suppression Rule had zero matches: {}", rule.toString());
+            }
+        });
     }
 
     /**
diff --git a/core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java b/core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java
index 8222ccda21e..fb610dc40b1 100644
--- a/core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java
+++ b/core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java
@@ -103,6 +103,29 @@ public class SuppressionRule {
      */
     private Calendar until;
 
+    /**
+     * A flag whether or not the rule matched a dependency & CPE.
+     */
+    private boolean matched = false;
+
+    /**
+     * Get the value of matched.
+     *
+     * @return the value of matched
+     */
+    public boolean isMatched() {
+        return matched;
+    }
+
+    /**
+     * Set the value of matched.
+     *
+     * @param matched new value of matched
+     */
+    public void setMatched(boolean matched) {
+        this.matched = matched;
+    }
+
     /**
      * Get the (@code{nullable}) value of until.
      *
@@ -467,6 +490,7 @@ public void process(Dependency dependency) {
                 for (PropertyType c : this.cpe) {
                     if (identifierMatches(c, i)) {
                         if (!isBase()) {
+                            matched = true;
                             if (this.notes != null) {
                                 i.setNotes(this.notes);
                             }
@@ -507,7 +531,6 @@ public void process(Dependency dependency) {
                             removeVulns.add(v);
                             break;
                         }
-
                     }
                 }
                 if (!remove) {
@@ -524,13 +547,12 @@ public void process(Dependency dependency) {
                         }
                     }
                 }
-                if (remove) {
-                    if (!isBase()) {
-                        if (this.notes != null) {
-                            v.setNotes(this.notes);
-                        }
-                        dependency.addSuppressedVulnerability(v);
+                if (remove && !isBase()) {
+                    matched = true;
+                    if (this.notes != null) {
+                        v.setNotes(this.notes);
                     }
+                    dependency.addSuppressedVulnerability(v);
                 }
             }
             removeVulns.forEach((v) -> {
@@ -646,6 +668,9 @@ public String toString() {
         if (sha1 != null) {
             sb.append("sha1=").append(sha1).append(',');
         }
+        if (packageUrl != null) {
+            sb.append("packageUrl=").append(packageUrl).append(',');
+        }
         if (gav != null) {
             sb.append("gav=").append(gav).append(',');
         }

From 679b0ab3eb37480575f33430cc375d030ed4b51c Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Wed, 27 Jul 2022 07:04:51 -0400
Subject: [PATCH 02/25] make suppression rules collection a singleton so when
 rules run multiple times we can track if a rule was used

---
 .../taskdefs/DependencyCheckTaskIT.java       |  14 ++-
 .../org/owasp/dependencycheck/Engine.java     |   3 +
 .../analyzer/AbstractSuppressionAnalyzer.java |  19 ++--
 .../xml/suppression/SuppressionRules.java     | 102 ++++++++++++++++++
 .../AbstractSuppressionAnalyzerTest.java      |  32 ++++--
 .../analyzer/CpeSuppressionAnalyzerIT.java    |   3 +
 .../VulnerabilitySuppressionAnalyzerIT.java   |   3 +
 7 files changed, 154 insertions(+), 22 deletions(-)
 create mode 100644 core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRules.java

diff --git a/ant/src/test/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTaskIT.java b/ant/src/test/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTaskIT.java
index 8eaba38ad1b..a6425afa03c 100644
--- a/ant/src/test/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTaskIT.java
+++ b/ant/src/test/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTaskIT.java
@@ -29,6 +29,7 @@
 import org.owasp.dependencycheck.BaseDBTestCase;
 
 import static org.junit.Assert.assertTrue;
+import org.owasp.dependencycheck.xml.suppression.SuppressionRules;
 
 /**
  *
@@ -133,8 +134,8 @@ public void testGetFailBuildOnCVSS() {
             buildFileRule.executeTarget("failCVSS");
         });
 
-        String expectedMessage = String.format("One or more dependencies were identified with vulnerabilities that " +
-                "have a CVSS score greater than or equal to '%.1f':", 3.0f);
+        String expectedMessage = String.format("One or more dependencies were identified with vulnerabilities that "
+                + "have a CVSS score greater than or equal to '%.1f':", 3.0f);
 
         Assert.assertTrue(exception.getMessage().contains(expectedMessage));
     }
@@ -146,7 +147,8 @@ public void testGetFailBuildOnCVSS() {
     public void testSuppressingCVE() {
         // GIVEN an ant task with a vulnerability
         final String antTaskName = "suppression";
-
+        //as the suppression rules are now a singleton - we must reset the list to cause the new suppression rules to load
+        SuppressionRules.getInstance().list().clear();
         // WHEN executing the ant task
         buildFileRule.executeTarget(antTaskName);
         if (buildFileRule.getError() != null && !buildFileRule.getError().isEmpty()) {
@@ -170,7 +172,8 @@ public void testSuppressingCVE() {
     public void testSuppressingSingle() {
         // GIVEN an ant task with a vulnerability using the legacy property
         final String antTaskName = "suppression-single";
-
+        //as the suppression rules are now a singleton - we must reset the list to cause the new suppression rules to load
+        SuppressionRules.getInstance().list().clear();
         // WHEN executing the ant task
         buildFileRule.executeTarget(antTaskName);
 
@@ -187,7 +190,8 @@ public void testSuppressingSingle() {
     public void testSuppressingMultiple() {
         // GIVEN an ant task with a vulnerability using multiple was to configure the suppression file
         final String antTaskName = "suppression-multiple";
-
+        //as the suppression rules are now a singleton - we must reset the list to cause the new suppression rules to load
+        SuppressionRules.getInstance().list().clear();
         // WHEN executing the ant task
         buildFileRule.executeTarget(antTaskName);
 
diff --git a/core/src/main/java/org/owasp/dependencycheck/Engine.java b/core/src/main/java/org/owasp/dependencycheck/Engine.java
index 4a662fb296f..96181f94e21 100644
--- a/core/src/main/java/org/owasp/dependencycheck/Engine.java
+++ b/core/src/main/java/org/owasp/dependencycheck/Engine.java
@@ -81,6 +81,7 @@
 import static org.owasp.dependencycheck.analyzer.AnalysisPhase.PRE_IDENTIFIER_ANALYSIS;
 import static org.owasp.dependencycheck.analyzer.AnalysisPhase.PRE_INFORMATION_COLLECTION;
 import org.owasp.dependencycheck.analyzer.DependencyBundlingAnalyzer;
+import org.owasp.dependencycheck.xml.suppression.SuppressionRules;
 
 /**
  * Scans files, directories, etc. for Dependencies. Analyzers are loaded and
@@ -658,6 +659,8 @@ public void analyzeDependencies() throws ExceptionCollection {
                 .map((phase) -> analyzers.get(phase))
                 .forEach((analyzerList) -> analyzerList.forEach((a) -> closeAnalyzer(a)));
 
+        SuppressionRules.getInstance().logUnusedRules();
+        
         LOGGER.debug("\n----------------------------------------------------\nEND ANALYSIS\n----------------------------------------------------");
         final long analysisDurationSeconds = TimeUnit.MILLISECONDS.toSeconds(System.currentTimeMillis() - analysisStart);
         LOGGER.info("Analysis Complete ({} seconds)", analysisDurationSeconds);
diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
index 14c130ea2d6..22462a661fb 100644
--- a/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
+++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
@@ -44,6 +44,7 @@
 import org.slf4j.LoggerFactory;
 import org.xml.sax.SAXException;
 import org.owasp.dependencycheck.xml.suppression.SuppressionRuleFilter;
+import org.owasp.dependencycheck.xml.suppression.SuppressionRules;
 
 /**
  * Abstract base suppression analyzer that contains methods for parsing the
@@ -63,9 +64,18 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer imple
      */
     private static final String BASE_SUPPRESSION_FILE = "dependencycheck-base-suppression.xml";
     /**
-     * The list of suppression rules.
+     * The collection of suppression rules.
      */
-    private final List<SuppressionRule> rules = new ArrayList<>();
+    private final SuppressionRules rules = SuppressionRules.getInstance();
+
+    /**
+     * Returns the suppression rules.
+     *
+     * @return the suppression rules
+     */
+    protected SuppressionRules getSuppressionRules() {
+        return rules;
+    }
 
     /**
      * Get the number of suppression rules.
@@ -113,11 +123,8 @@ protected void analyzeDependency(Dependency dependency, Engine engine) throws An
         if (rules.isEmpty()) {
             return;
         }
-        rules.forEach((rule) -> {
+        rules.list().forEach((rule) -> {
             rule.process(dependency);
-            if (!rule.isMatched() && !rule.isBase()) {
-                LOGGER.debug("Suppression Rule had zero matches: {}", rule.toString());
-            }
         });
     }
 
diff --git a/core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRules.java b/core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRules.java
new file mode 100644
index 00000000000..d5e66639a21
--- /dev/null
+++ b/core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRules.java
@@ -0,0 +1,102 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2022 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.xml.suppression;
+
+import java.util.ArrayList;
+import java.util.List;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ *
+ * @author Jeremy Long
+ */
+public class SuppressionRules {
+
+    /**
+     * Singleton.
+     */
+    private static final SuppressionRules INSTANCE = new SuppressionRules();
+    /**
+     * The Logger for use throughout the class.
+     */
+    private static final Logger LOGGER = LoggerFactory.getLogger(SuppressionRules.class);
+    /**
+     * The list of suppression rules.
+     */
+    private static final List<SuppressionRule> rules = new ArrayList<>();
+
+    private SuppressionRules() {
+    }
+
+    /**
+     * Returns the instance of SuppressionRules.
+     *
+     * @return the instance of SuppressionRules
+     */
+    public static SuppressionRules getInstance() {
+        return INSTANCE;
+    }
+
+    /**
+     * Get the number of suppression rules.
+     *
+     * @return the number of suppression rules
+     */
+    public int size() {
+        return rules.size();
+    }
+
+    /**
+     * Returns true if there are no suppression rules; otherwise false.
+     *
+     * @return true if there are no suppression rules; otherwise false
+     */
+    public boolean isEmpty() {
+        return rules.isEmpty();
+    }
+
+    /**
+     * Returns the list of suppression rules.
+     *
+     * @return the list of suppression rules
+     */
+    public List<SuppressionRule> list() {
+        return rules;
+    }
+
+    /**
+     * Appends the new suppression rules to the list of rules.
+     *
+     * @param newRules the new suppression rules
+     */
+    public void addAll(List<SuppressionRule> newRules) {
+        rules.addAll(newRules);
+    }
+
+    /**
+     * Logs unused suppression rules.
+     */
+    public void logUnusedRules() {
+        rules.forEach((rule) -> {
+            if (!rule.isMatched() && !rule.isBase()) {
+                LOGGER.debug("Suppression Rule had zero matches: {}", rule.toString());
+            }
+        });
+    }
+}
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzerTest.java
index 34ed15f36c4..29d5b2e8042 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzerTest.java
@@ -34,6 +34,7 @@
 import org.owasp.dependencycheck.utils.Settings;
 import org.owasp.dependencycheck.utils.Settings.KEYS;
 import org.owasp.dependencycheck.xml.suppression.SuppressionRule;
+import org.owasp.dependencycheck.xml.suppression.SuppressionRules;
 
 /**
  * @author Jeremy Long
@@ -49,11 +50,12 @@ public class AbstractSuppressionAnalyzerTest extends BaseTest {
      * Suppression file to test with.
      */
     private static final String SUPPRESSIONS_FILE = "suppressions.xml";
-    
+
     private AbstractSuppressionAnalyzer instance;
-    
+
     @Before
     public void createObjectUnderTest() throws Exception {
+        SuppressionRules.getInstance().list().clear();
         instance = new AbstractSuppressionAnalyzerImpl();
     }
 
@@ -112,7 +114,7 @@ public void testGetRulesFromMultipleSuppressionFiles() throws Exception {
         final int expectedSize = rulesInFirstFile + rulesInSecondFile + rulesInCoreFile;
         assertThat("Expected suppressions from both files", instance.getRuleCount(), is(expectedSize));
     }
-    
+
     @Test(expected = InitializationException.class)
     public void testFailureToLocateSuppressionFileAnywhere() throws Exception {
         getSettings().setString(Settings.KEYS.SUPPRESSION_FILE, "doesnotexist.xml");
@@ -132,7 +134,9 @@ private int getNumberOfRulesLoadedInCoreFile() throws Exception {
         final AbstractSuppressionAnalyzerImpl coreFileAnalyzer = new AbstractSuppressionAnalyzerImpl();
         coreFileAnalyzer.initialize(getSettings());
         coreFileAnalyzer.prepare(null);
-        return coreFileAnalyzer.getRuleCount();
+        int count = coreFileAnalyzer.getRuleCount();
+        coreFileAnalyzer.reset();
+        return count;
     }
 
     /**
@@ -148,26 +152,28 @@ private int getNumberOfRulesLoadedFromPath(final String path) throws Exception {
         final AbstractSuppressionAnalyzerImpl fileAnalyzer = new AbstractSuppressionAnalyzerImpl();
         fileAnalyzer.initialize(getSettings());
         fileAnalyzer.prepare(null);
-        return fileAnalyzer.getRuleCount();
+        int count = fileAnalyzer.getRuleCount();
+        fileAnalyzer.reset();
+        return count;
     }
-    
+
     public static class AbstractSuppressionAnalyzerImpl extends AbstractSuppressionAnalyzer {
-        
+
         @Override
         public void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
             throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
         }
-        
+
         @Override
         public String getName() {
             throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
         }
-        
+
         @Override
         public AnalysisPhase getAnalysisPhase() {
             throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
         }
-        
+
         @Override
         protected String getAnalyzerEnabledSettingKey() {
             return "unknown";
@@ -177,6 +183,10 @@ protected String getAnalyzerEnabledSettingKey() {
         public boolean filter(SuppressionRule rule) {
             return false;
         }
+
+        public void reset() {
+            getSuppressionRules().list().clear();
+        }
     }
-    
+
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzerIT.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzerIT.java
index f447b94ca03..ae0854f2e52 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzerIT.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzerIT.java
@@ -26,6 +26,7 @@
 import org.owasp.dependencycheck.utils.Settings;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
+import org.owasp.dependencycheck.xml.suppression.SuppressionRules;
 
 /**
  * Testing the CPE suppression analyzer.
@@ -80,6 +81,8 @@ public void testAnalyze() throws Exception {
             assertTrue(cveSize > 0);
             assertTrue(cpeSize > 0);
             getSettings().setString(Settings.KEYS.SUPPRESSION_FILE, suppression.getAbsolutePath());
+            //as the suppression rules are now a singleton - we must reset the list to cause the new suppression rules to load
+            SuppressionRules.getInstance().list().clear();
             CpeSuppressionAnalyzer instance = new CpeSuppressionAnalyzer();
             instance.initialize(getSettings());
             instance.prepare(engine);
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzerIT.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzerIT.java
index 3706afb26ba..c017ae40d25 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzerIT.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzerIT.java
@@ -26,6 +26,7 @@
 import org.owasp.dependencycheck.utils.Settings;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
+import org.owasp.dependencycheck.xml.suppression.SuppressionRules;
 
 /**
  * Testing the vulnerability suppression analyzer.
@@ -81,6 +82,8 @@ public void testAnalyze() throws Exception {
             assertTrue(cveSize > 0);
             assertTrue(cpeSize > 0);
             getSettings().setString(Settings.KEYS.SUPPRESSION_FILE, suppression.getAbsolutePath());
+            //as the suppression rules are now a singleton - we must reset the list to cause the new suppression rules to load
+            SuppressionRules.getInstance().list().clear();
             VulnerabilitySuppressionAnalyzer instance = new VulnerabilitySuppressionAnalyzer();
             instance.initialize(getSettings());
             instance.prepare(engine);

From 0c3c3f3dfbe73fd120b4fa29c4f0f28d461c04d8 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Thu, 28 Jul 2022 06:47:20 -0400
Subject: [PATCH 03/25] make checkstyle happier

---
 .../org/owasp/dependencycheck/Engine.java     |  2 +-
 .../xml/suppression/SuppressionRules.java     | 34 +++++++++----------
 2 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/core/src/main/java/org/owasp/dependencycheck/Engine.java b/core/src/main/java/org/owasp/dependencycheck/Engine.java
index 96181f94e21..292f3424905 100644
--- a/core/src/main/java/org/owasp/dependencycheck/Engine.java
+++ b/core/src/main/java/org/owasp/dependencycheck/Engine.java
@@ -660,7 +660,7 @@ public void analyzeDependencies() throws ExceptionCollection {
                 .forEach((analyzerList) -> analyzerList.forEach((a) -> closeAnalyzer(a)));
 
         SuppressionRules.getInstance().logUnusedRules();
-        
+
         LOGGER.debug("\n----------------------------------------------------\nEND ANALYSIS\n----------------------------------------------------");
         final long analysisDurationSeconds = TimeUnit.MILLISECONDS.toSeconds(System.currentTimeMillis() - analysisStart);
         LOGGER.info("Analysis Complete ({} seconds)", analysisDurationSeconds);
diff --git a/core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRules.java b/core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRules.java
index d5e66639a21..771a5ecac68 100644
--- a/core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRules.java
+++ b/core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRules.java
@@ -26,7 +26,7 @@
  *
  * @author Jeremy Long
  */
-public class SuppressionRules {
+public final class SuppressionRules {
 
     /**
      * Singleton.
@@ -37,9 +37,9 @@ public class SuppressionRules {
      */
     private static final Logger LOGGER = LoggerFactory.getLogger(SuppressionRules.class);
     /**
-     * The list of suppression rules.
+     * The list of suppression RULES.
      */
-    private static final List<SuppressionRule> rules = new ArrayList<>();
+    private static final List<SuppressionRule> RULES = new ArrayList<>();
 
     private SuppressionRules() {
     }
@@ -54,46 +54,46 @@ public static SuppressionRules getInstance() {
     }
 
     /**
-     * Get the number of suppression rules.
+     * Get the number of suppression RULES.
      *
-     * @return the number of suppression rules
+     * @return the number of suppression RULES
      */
     public int size() {
-        return rules.size();
+        return RULES.size();
     }
 
     /**
-     * Returns true if there are no suppression rules; otherwise false.
+     * Returns true if there are no suppression RULES; otherwise false.
      *
-     * @return true if there are no suppression rules; otherwise false
+     * @return true if there are no suppression RULES; otherwise false
      */
     public boolean isEmpty() {
-        return rules.isEmpty();
+        return RULES.isEmpty();
     }
 
     /**
-     * Returns the list of suppression rules.
+     * Returns the list of suppression RULES.
      *
-     * @return the list of suppression rules
+     * @return the list of suppression RULES
      */
     public List<SuppressionRule> list() {
-        return rules;
+        return RULES;
     }
 
     /**
-     * Appends the new suppression rules to the list of rules.
+     * Appends the new suppression RULES to the list of RULES.
      *
-     * @param newRules the new suppression rules
+     * @param newRules the new suppression RULES
      */
     public void addAll(List<SuppressionRule> newRules) {
-        rules.addAll(newRules);
+        RULES.addAll(newRules);
     }
 
     /**
-     * Logs unused suppression rules.
+     * Logs unused suppression RULES.
      */
     public void logUnusedRules() {
-        rules.forEach((rule) -> {
+        RULES.forEach((rule) -> {
             if (!rule.isMatched() && !rule.isBase()) {
                 LOGGER.debug("Suppression Rule had zero matches: {}", rule.toString());
             }

From 9a9a8f78aa73c42f5761a01841ed2c56acc8909b Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Thu, 28 Jul 2022 07:10:44 -0400
Subject: [PATCH 04/25] fix build

---
 .../analyzer/VulnerabilitySuppressionAnalyzerIT.java            | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzerIT.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzerIT.java
index c017ae40d25..eef2af0fe42 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzerIT.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzerIT.java
@@ -74,6 +74,8 @@ public void testAnalyze() throws Exception {
         getSettings().setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
         getSettings().setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
         try (Engine engine = new Engine(getSettings())) {
+            //as the suppression rules are now a singleton - we must reset the list to cause the new suppression rules to load
+            SuppressionRules.getInstance().list().clear();
             engine.scan(file);
             engine.analyzeDependencies();
             Dependency dependency = getDependency(engine, file);

From 6ed40623866d712a7daa62ebbfce45caf97b3d5a Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Thu, 28 Jul 2022 07:36:25 -0400
Subject: [PATCH 05/25] suppress warning

---
 .../owasp/dependencycheck/xml/suppression/SuppressionRules.java | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRules.java b/core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRules.java
index 771a5ecac68..9010e96f43b 100644
--- a/core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRules.java
+++ b/core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRules.java
@@ -17,6 +17,7 @@
  */
 package org.owasp.dependencycheck.xml.suppression;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import java.util.ArrayList;
 import java.util.List;
 import org.slf4j.Logger;
@@ -49,6 +50,7 @@ private SuppressionRules() {
      *
      * @return the instance of SuppressionRules
      */
+    @SuppressFBWarnings(justification = "Intended", value = {"MS_EXPOSE_REP"})
     public static SuppressionRules getInstance() {
         return INSTANCE;
     }

From 5bc821bf8cec746f125a876c8491411c876bc930 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Thu, 28 Jul 2022 06:40:52 -0400
Subject: [PATCH 06/25] purge github action cache

---
 .github/workflows/purge-cache.yml | 35 +++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 .github/workflows/purge-cache.yml

diff --git a/.github/workflows/purge-cache.yml b/.github/workflows/purge-cache.yml
new file mode 100644
index 00000000000..ddbd33f035c
--- /dev/null
+++ b/.github/workflows/purge-cache.yml
@@ -0,0 +1,35 @@
+name: Purge Cache
+
+on: workflow_dispatch
+
+jobs:
+  build:
+    name: Purge GitHub Cache
+    runs-on: ubuntu-latest 
+    steps:
+      - uses: actions/checkout@v3
+      - name: Check Maven Cache
+        id: maven-cache
+        uses: actions/cache@v3
+        with:
+          path: ~/.m2/repository
+          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
+          restore-keys: |
+            ${{ runner.os }}-maven-
+      - name: Check Local Maven Cache
+        id: maven-it-cache
+        uses: actions/cache@v3
+        with:
+          path: maven/target/local-repo
+          key: mvn-it-repo
+      - name: Check ODC Data Cache
+        id: odc-data-cache
+        uses: actions/cache@v3
+        with:
+          path: core/target/data
+          key: odc-data
+      - name: Delete Data Directories
+        run: |
+          rm -rf ~/.m2/repository/org/owasp/dependency-check-data
+          rm -rf maven/target/local-repo/org/owasp/dependency-check-data
+          rm -rf core/target/data

From ea4662c89a303d1c0a7b66d0213c28fb14abe558 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 28 Jul 2022 01:03:47 +0000
Subject: [PATCH 07/25] Bump ossindex-service-client from 1.8.1 to 1.8.2

Bumps ossindex-service-client from 1.8.1 to 1.8.2.

---
updated-dependencies:
- dependency-name: org.sonatype.ossindex:ossindex-service-client
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 4687a0b857e..47d491f58f4 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1302,7 +1302,7 @@ Copyright (c) 2012 - Jeremy Long
             <dependency>
                 <groupId>org.sonatype.ossindex</groupId>
                 <artifactId>ossindex-service-client</artifactId>
-                <version>1.8.1</version>
+                <version>1.8.2</version>
                 <exclusions>
                     <exclusion>
                         <groupId>org.apache.httpcomponents</groupId>

From f255f926882d4b842a32cb36e799095b135cbc9d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marcel=20St=C3=B6r?= <marcelstoer@users.noreply.github.com>
Date: Thu, 28 Jul 2022 20:31:28 +0200
Subject: [PATCH 08/25] Extend Quarkus Liquibase pattern

This extends the existing regex to also cover all Quarkus
Liquibase artifacts. See https://regex101.com/r/2xOJwo/1
for a regex test.

Fixes #4630
---
 core/src/main/resources/dependencycheck-base-suppression.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/src/main/resources/dependencycheck-base-suppression.xml b/core/src/main/resources/dependencycheck-base-suppression.xml
index ddb822f36bb..ce356c7d94f 100644
--- a/core/src/main/resources/dependencycheck-base-suppression.xml
+++ b/core/src/main/resources/dependencycheck-base-suppression.xml
@@ -4842,7 +4842,7 @@
         <notes><![CDATA[
         quarkus-liquibase is a wrapper of liquibase:liquibase with a lower version
         ]]></notes>
-        <packageUrl regex="true">^pkg\:maven/io\.quarkus.*/quarkus\-liquibase@.*</packageUrl>
+        <packageUrl regex="true">^pkg\:maven/io\.quarkus.*/quarkus\-liquibase(-[a-z]+)?@.*</packageUrl>
         <cpe>cpe:/a:liquibase:liquibase</cpe>
     </suppress>
     <suppress base="true">

From 0d6504ecf8321e6c49798572db16c4c4b459fe08 Mon Sep 17 00:00:00 2001
From: Misael Bustamante <misa4988@hotmail.com>
Date: Thu, 28 Jul 2022 17:04:18 -0500
Subject: [PATCH 09/25] Add FP for parseurl

---
 .../main/resources/dependencycheck-base-suppression.xml    | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/core/src/main/resources/dependencycheck-base-suppression.xml b/core/src/main/resources/dependencycheck-base-suppression.xml
index ce356c7d94f..7c2981f720e 100644
--- a/core/src/main/resources/dependencycheck-base-suppression.xml
+++ b/core/src/main/resources/dependencycheck-base-suppression.xml
@@ -5290,5 +5290,12 @@
         <packageUrl regex="true">^pkg:maven/(?!org\.springframework/spring\-web@).*$</packageUrl>
         <cve>CVE-2016-1000027</cve>
     </suppress>
+    <suppress>
+        <notes><![CDATA[
+        FP because cpe make reference to IonicaBizau/parse-url dependency
+        ]]></notes>
+        <packageUrl regex="true">^pkg:npm/parseurl@.*$</packageUrl>
+        <cpe>cpe:/a:parse-url_project:parse-url</cpe>
+    </suppress>
     <!-- endregion -->
 </suppressions>

From 8dc569c1c7ca5a1bbbbe5d3a85d7eda956f4becb Mon Sep 17 00:00:00 2001
From: Misael Bustamante <misa4988@hotmail.com>
Date: Sat, 30 Jul 2022 19:23:57 -0500
Subject: [PATCH 10/25] Apply suggestions from code review

Co-authored-by: Hans Aikema <aikebah-github@aikebah.net>
---
 core/src/main/resources/dependencycheck-base-suppression.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/src/main/resources/dependencycheck-base-suppression.xml b/core/src/main/resources/dependencycheck-base-suppression.xml
index 7c2981f720e..ba59bf45c16 100644
--- a/core/src/main/resources/dependencycheck-base-suppression.xml
+++ b/core/src/main/resources/dependencycheck-base-suppression.xml
@@ -5290,7 +5290,7 @@
         <packageUrl regex="true">^pkg:maven/(?!org\.springframework/spring\-web@).*$</packageUrl>
         <cve>CVE-2016-1000027</cve>
     </suppress>
-    <suppress>
+    <suppress base="true">
         <notes><![CDATA[
         FP because cpe make reference to IonicaBizau/parse-url dependency
         ]]></notes>

From 7e32b9dfe94674c89e6872b77bfea5cb91ba20f3 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Mon, 1 Aug 2022 06:11:36 -0400
Subject: [PATCH 11/25] merge #4703

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 47d491f58f4..4964e2693d3 100644
--- a/pom.xml
+++ b/pom.xml
@@ -283,7 +283,7 @@ Copyright (c) 2012 - Jeremy Long
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-resources-plugin</artifactId>
-                    <version>3.2.0</version>
+                    <version>3.3.0</version>
                     <dependencies>
                         <dependency>
                             <groupId>org.owasp.maven-tools</groupId>

From cc66a98d575f5eb4534c5d20504fa805ffc4f589 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Mon, 1 Aug 2022 06:12:20 -0400
Subject: [PATCH 12/25] merge #4715

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 4964e2693d3..21a29e538e6 100644
--- a/pom.xml
+++ b/pom.xml
@@ -288,7 +288,7 @@ Copyright (c) 2012 - Jeremy Long
                         <dependency>
                             <groupId>org.owasp.maven-tools</groupId>
                             <artifactId>velocity-whitespace-resource-filter</artifactId>
-                            <version>1.0.0</version>
+                            <version>2.0.0</version>
                         </dependency>
                     </dependencies>
                 </plugin>

From 64e2a4a34bf944e65fcda6a4a9e75d61589d0556 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 1 Aug 2022 01:31:34 +0000
Subject: [PATCH 13/25] Bump maven-reporting-api from 3.1.0 to 3.1.1

Bumps [maven-reporting-api](https://github.com/apache/maven-reporting-api) from 3.1.0 to 3.1.1.
- [Release notes](https://github.com/apache/maven-reporting-api/releases)
- [Commits](https://github.com/apache/maven-reporting-api/compare/maven-reporting-api-3.1.0...maven-reporting-api-3.1.1)

---
updated-dependencies:
- dependency-name: org.apache.maven.reporting:maven-reporting-api
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 21a29e538e6..bd56f188e9b 100644
--- a/pom.xml
+++ b/pom.xml
@@ -157,7 +157,7 @@ Copyright (c) 2012 - Jeremy Long
         <org.apache.maven.shared.file-management.version>3.1.0</org.apache.maven.shared.file-management.version>
         <maven-plugin-testing-harness.version>3.3.0</maven-plugin-testing-harness.version>
         <maven-plugin-annotations.version>3.6.4</maven-plugin-annotations.version>
-        <maven-reporting-api.version>3.1.0</maven-reporting-api.version>
+        <maven-reporting-api.version>3.1.1</maven-reporting-api.version>
         <commons-collections.version>3.2.2</commons-collections.version>
         <org.apache.velocity.version>2.3</org.apache.velocity.version>
         <plexus-sec-dispatcher.version>1.4</plexus-sec-dispatcher.version>

From 7952bb4534b36c34bad399796cc701686f5f82fa Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 4 Aug 2022 01:02:01 +0000
Subject: [PATCH 14/25] Bump postgresql from 42.4.0 to 42.4.1

Bumps [postgresql](https://github.com/pgjdbc/pgjdbc) from 42.4.0 to 42.4.1.
- [Release notes](https://github.com/pgjdbc/pgjdbc/releases)
- [Changelog](https://github.com/pgjdbc/pgjdbc/blob/master/CHANGELOG.md)
- [Commits](https://github.com/pgjdbc/pgjdbc/compare/REL42.4.0...REL42.4.1)

---
updated-dependencies:
- dependency-name: org.postgresql:postgresql
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 core/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/pom.xml b/core/pom.xml
index 4027e4aab26..9d94e09f978 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -546,7 +546,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                 <dependency>
                     <groupId>org.postgresql</groupId>
                     <artifactId>postgresql</artifactId>
-                    <version>42.4.0</version>
+                    <version>42.4.1</version>
                 </dependency>
             </dependencies>
             <build>

From a6927ad089c60e69f50ad6064dfbf2110255083d Mon Sep 17 00:00:00 2001
From: Albert Wang <albertylw@gmail.com>
Date: Tue, 9 Aug 2022 16:47:00 +1200
Subject: [PATCH 15/25] Fix issue 4733. Update the mysql, mssql, postgresql and
 oracle initialize files.

---
 core/src/main/resources/data/initialize_mssql.sql    | 4 +++-
 core/src/main/resources/data/initialize_mysql.sql    | 4 +++-
 core/src/main/resources/data/initialize_oracle.sql   | 4 +++-
 core/src/main/resources/data/initialize_postgres.sql | 4 +++-
 4 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/core/src/main/resources/data/initialize_mssql.sql b/core/src/main/resources/data/initialize_mssql.sql
index ff5bbe0ec06..969369065da 100644
--- a/core/src/main/resources/data/initialize_mssql.sql
+++ b/core/src/main/resources/data/initialize_mssql.sql
@@ -58,6 +58,8 @@ CREATE TABLE cpeEcosystemCache (vendor VARCHAR(255), product VARCHAR(255), ecosy
 INSERT INTO cpeEcosystemCache (vendor, product, ecosystem) VALUES ('apache', 'zookeeper', 'MULTIPLE');
 INSERT INTO cpeEcosystemCache (vendor, product, ecosystem) VALUES ('tensorflow', 'tensorflow', 'MULTIPLE');
 INSERT INTO cpeEcosystemCache (vendor, product, ecosystem) VALUES ('scikit-learn', 'scikit-learn', 'MULTIPLE');
+INSERT INTO cpeEcosystemCache (vendor, product, ecosystem) VALUES ('unicode', 'international_components_for_unicode', 'MULTIPLE');
+INSERT INTO cpeEcosystemCache (vendor, product, ecosystem) VALUES ('icu-project', 'international_components_for_unicode', 'MULTIPLE');
 
 CREATE INDEX idxCwe ON cweEntry(cveid);
 CREATE INDEX idxVulnerability ON vulnerability(cve);
@@ -205,7 +207,7 @@ END;
 
 GO
 
-INSERT INTO properties(id,value) VALUES ('version','5.2');
+INSERT INTO properties(id,value) VALUES ('version','5.2.1');
 
 GO
 /**
diff --git a/core/src/main/resources/data/initialize_mysql.sql b/core/src/main/resources/data/initialize_mysql.sql
index a77b8faa340..59335885e2e 100644
--- a/core/src/main/resources/data/initialize_mysql.sql
+++ b/core/src/main/resources/data/initialize_mysql.sql
@@ -58,6 +58,8 @@ CREATE TABLE cpeEcosystemCache (vendor VARCHAR(255), product VARCHAR(255), ecosy
 INSERT INTO cpeEcosystemCache (vendor, product, ecosystem) VALUES ('apache', 'zookeeper', 'MULTIPLE');
 INSERT INTO cpeEcosystemCache (vendor, product, ecosystem) VALUES ('tensorflow', 'tensorflow', 'MULTIPLE');
 INSERT INTO cpeEcosystemCache (vendor, product, ecosystem) VALUES ('scikit-learn', 'scikit-learn', 'MULTIPLE');
+INSERT INTO cpeEcosystemCache (vendor, product, ecosystem) VALUES ('unicode', 'international_components_for_unicode', 'MULTIPLE');
+INSERT INTO cpeEcosystemCache (vendor, product, ecosystem) VALUES ('icu-project', 'international_components_for_unicode', 'MULTIPLE');
 
 CREATE INDEX idxCwe ON cweEntry(cveid);
 CREATE INDEX idxVulnerability ON vulnerability(cve);
@@ -272,4 +274,4 @@ GRANT EXECUTE ON PROCEDURE dependencycheck.update_ecosystems2 TO 'dcuser';
 
 GRANT SELECT, INSERT, UPDATE, DELETE ON dependencycheck.* TO 'dcuser';
 
-INSERT INTO properties(id, value) VALUES ('version', '5.2');
+INSERT INTO properties(id, value) VALUES ('version', '5.2.1');
diff --git a/core/src/main/resources/data/initialize_oracle.sql b/core/src/main/resources/data/initialize_oracle.sql
index e104ead7436..8c3fe4b8fbe 100644
--- a/core/src/main/resources/data/initialize_oracle.sql
+++ b/core/src/main/resources/data/initialize_oracle.sql
@@ -130,6 +130,8 @@ CREATE TABLE cpeEcosystemCache (vendor VARCHAR(255), product VARCHAR(255), ecosy
 INSERT INTO cpeEcosystemCache (vendor, product, ecosystem) VALUES ('apache', 'zookeeper', 'MULTIPLE');
 INSERT INTO cpeEcosystemCache (vendor, product, ecosystem) VALUES ('tensorflow', 'tensorflow', 'MULTIPLE');
 INSERT INTO cpeEcosystemCache (vendor, product, ecosystem) VALUES ('scikit-learn', 'scikit-learn', 'MULTIPLE');
+INSERT INTO cpeEcosystemCache (vendor, product, ecosystem) VALUES ('unicode', 'international_components_for_unicode', 'MULTIPLE');
+INSERT INTO cpeEcosystemCache (vendor, product, ecosystem) VALUES ('icu-project', 'international_components_for_unicode', 'MULTIPLE');
 
 -- CREATE INDEX idxCwe ON cweEntry(cveid); -- PK automatically receives index
 -- CREATE INDEX idxVulnerability ON vulnerability(cve); -- PK automatically receives index
@@ -394,4 +396,4 @@ CREATE OR REPLACE VIEW v_update_ecosystems AS
     ON c.vendor=e.vendor
         AND c.product=e.product;
 
-INSERT INTO properties(id,value) VALUES ('version','5.2');
+INSERT INTO properties(id,value) VALUES ('version','5.2.1');
diff --git a/core/src/main/resources/data/initialize_postgres.sql b/core/src/main/resources/data/initialize_postgres.sql
index b786ec5b84c..00076eb3577 100644
--- a/core/src/main/resources/data/initialize_postgres.sql
+++ b/core/src/main/resources/data/initialize_postgres.sql
@@ -42,6 +42,8 @@ CREATE TABLE cpeEcosystemCache (vendor VARCHAR(255), product VARCHAR(255), ecosy
 INSERT INTO cpeEcosystemCache (vendor, product, ecosystem) VALUES ('apache', 'zookeeper', 'MULTIPLE');
 INSERT INTO cpeEcosystemCache (vendor, product, ecosystem) VALUES ('tensorflow', 'tensorflow', 'MULTIPLE');
 INSERT INTO cpeEcosystemCache (vendor, product, ecosystem) VALUES ('scikit-learn', 'scikit-learn', 'MULTIPLE');
+INSERT INTO cpeEcosystemCache (vendor, product, ecosystem) VALUES ('unicode', 'international_components_for_unicode', 'MULTIPLE');
+INSERT INTO cpeEcosystemCache (vendor, product, ecosystem) VALUES ('icu-project', 'international_components_for_unicode', 'MULTIPLE');
 
 CREATE TABLE cweEntry (cveid INT, cwe VARCHAR(20),
     CONSTRAINT fkCweEntry FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE);
@@ -209,4 +211,4 @@ GRANT EXECUTE ON FUNCTION public.insert_software (INT, CHAR(1), VARCHAR(255),
 
 
 
-INSERT INTO properties(id,value) VALUES ('version','5.2');
+INSERT INTO properties(id,value) VALUES ('version','5.2.1');

From 807a813cb7f66d774aaf11933e96a494a63f4929 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 5 Aug 2022 01:05:13 +0000
Subject: [PATCH 16/25] Bump maven-site-plugin from 3.12.0 to 3.12.1

Bumps [maven-site-plugin](https://github.com/apache/maven-site-plugin) from 3.12.0 to 3.12.1.
- [Release notes](https://github.com/apache/maven-site-plugin/releases)
- [Commits](https://github.com/apache/maven-site-plugin/compare/maven-site-plugin-3.12.0...maven-site-plugin-3.12.1)

---
updated-dependencies:
- dependency-name: org.apache.maven.plugins:maven-site-plugin
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index bd56f188e9b..cdae0e929cd 100644
--- a/pom.xml
+++ b/pom.xml
@@ -295,7 +295,7 @@ Copyright (c) 2012 - Jeremy Long
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-site-plugin</artifactId>
-                    <version>3.12.0</version>
+                    <version>3.12.1</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>

From 169d9751cee6ea1eca3ed616a8e0ed679fde6c97 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Tue, 9 Aug 2022 06:17:09 -0400
Subject: [PATCH 17/25] fix vuln count check on test

---
 .../org/owasp/dependencycheck/analyzer/RetireJsAnalyzerIT.java | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/RetireJsAnalyzerIT.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/RetireJsAnalyzerIT.java
index 5de85922b5e..77eb7b30a33 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/RetireJsAnalyzerIT.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/RetireJsAnalyzerIT.java
@@ -156,7 +156,8 @@ public void testAngular() throws Exception {
         assertEquals("version", version.getName());
         assertEquals("1.2.27", version.getValue());
 
-        assertEquals(6, dependency.getVulnerabilities().size());
+        assertTrue("At leats 6 vulnerabilities should be detected",
+                dependency.getVulnerabilities().size() >= 6);
         assertTrue(dependency.getVulnerabilities().contains(new Vulnerability("Universal CSP bypass via add-on in Firefox")));
         assertTrue(dependency.getVulnerabilities().contains(new Vulnerability("XSS in $sanitize in Safari/Firefox")));
         assertTrue(dependency.getVulnerabilities().contains(new Vulnerability("DOS in $sanitize")));

From 82b046ad1c6b0726964a62c292105cb91de6b61b Mon Sep 17 00:00:00 2001
From: Jesse <livingwithcode@outlook.com>
Date: Thu, 11 Aug 2022 07:31:28 +1200
Subject: [PATCH 18/25] add yarn.lock to mixedLangSet to enable
 yarnAuditAnalyzer

yarnAuditAnalyzer cannot be enabled if we don't have yarn.lock is added to mixedLangSet.
---
 .../org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java | 1 +
 1 file changed, 1 insertion(+)

diff --git a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
index 0e5801d8519..6708bdabc89 100644
--- a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
+++ b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
@@ -1586,6 +1586,7 @@ private ExceptionCollection collectDependencies(Engine engine, MavenProject proj
                 mixedLangSet.addInclude("npm-shrinkwrap.json");
                 mixedLangSet.addInclude("Gopkg.lock");
                 mixedLangSet.addInclude("go.mod");
+                mixedLangSet.addInclude("yarn.lock");
             } catch (IOException ex) {
                 if (exCol == null) {
                     exCol = new ExceptionCollection();

From e3396cc5e2ab2cf4d5d6af73cc912a9d7689e4c8 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Fri, 12 Aug 2022 08:23:14 -0400
Subject: [PATCH 19/25] Update
 maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java

---
 .../org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java | 1 +
 1 file changed, 1 insertion(+)

diff --git a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
index 6708bdabc89..d27b7dc9e36 100644
--- a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
+++ b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
@@ -1587,6 +1587,7 @@ private ExceptionCollection collectDependencies(Engine engine, MavenProject proj
                 mixedLangSet.addInclude("Gopkg.lock");
                 mixedLangSet.addInclude("go.mod");
                 mixedLangSet.addInclude("yarn.lock");
+                mixedLangSet.addInclude("pnpm-lock.yaml");
             } catch (IOException ex) {
                 if (exCol == null) {
                     exCol = new ExceptionCollection();

From db56450011f1c8187be69623dc6380c69ff1d58c Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Wed, 17 Aug 2022 06:05:04 -0400
Subject: [PATCH 20/25] update test cases to work with the singleton
 implementation

---
 .../analyzer/AbstractSuppressionAnalyzer.java      | 14 +++++++++-----
 .../analyzer/CpeSuppressionAnalyzer.java           |  2 +-
 .../analyzer/VulnerabilitySuppressionAnalyzer.java |  2 +-
 .../xml/suppression/SuppressionHandler.java        | 14 ++------------
 .../xml/suppression/SuppressionParser.java         | 10 ++++------
 .../analyzer/CpeSuppressionAnalyzerIT.java         | 13 ++++++-------
 .../VulnerabilitySuppressionAnalyzerIT.java        |  6 ++++--
 .../reporting/ReportGeneratorIT.java               | 10 ++++++++++
 .../xml/suppression/SuppressionHandlerTest.java    |  2 +-
 .../xml/suppression/SuppressionParserTest.java     |  8 ++++----
 10 files changed, 42 insertions(+), 39 deletions(-)

diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
index 22462a661fb..b045550c5c6 100644
--- a/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
+++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
@@ -123,9 +123,13 @@ protected void analyzeDependency(Dependency dependency, Engine engine) throws An
         if (rules.isEmpty()) {
             return;
         }
-        rules.list().forEach((rule) -> {
-            rule.process(dependency);
-        });
+        int ctr =0;
+        for (SuppressionRule rule : rules.list()) {
+            if (filter(rule)) {
+                ctr++;
+                rule.process(dependency);
+            }
+        }
     }
 
     /**
@@ -171,7 +175,7 @@ private void loadSuppressionBaseData() throws SuppressionParseException {
             if (in == null) {
                 throw new SuppressionParseException("Suppression rules `" + BASE_SUPPRESSION_FILE + "` could not be found");
             }
-            ruleList = parser.parseSuppressionRules(in, this);
+            ruleList = parser.parseSuppressionRules(in);
         } catch (SAXException | IOException ex) {
             throw new SuppressionParseException("Unable to parse the base suppression data file", ex);
         }
@@ -246,7 +250,7 @@ private List<SuppressionRule> loadSuppressionFile(final SuppressionParser parser
                     throw new SuppressionParseException(msg);
                 }
                 try {
-                    list.addAll(parser.parseSuppressionRules(file, this));
+                    list.addAll(parser.parseSuppressionRules(file));
                 } catch (SuppressionParseException ex) {
                     LOGGER.warn("Unable to parse suppression xml file '{}'", file.getPath());
                     LOGGER.warn(ex.getMessage());
diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzer.java
index d021df5edcf..2d9a9291a74 100644
--- a/core/src/main/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzer.java
+++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzer.java
@@ -82,7 +82,7 @@ protected String getAnalyzerEnabledSettingKey() {
 
     @Override
     public boolean filter(SuppressionRule rule) {
-        return !rule.hasCpe();
+        return rule.hasCpe();
     }
 
     @Override
diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzer.java
index 830cef39f60..8f4ddc786e5 100644
--- a/core/src/main/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzer.java
+++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzer.java
@@ -76,7 +76,7 @@ protected String getAnalyzerEnabledSettingKey() {
 
     @Override
     public boolean filter(SuppressionRule rule) {
-        return !(rule.hasCve() || rule.hasCvssBelow() || rule.hasCwe() || rule.hasVulnerabilityName());
+        return rule.hasCve() || rule.hasCvssBelow() || rule.hasCwe() || rule.hasVulnerabilityName();
     }
 
     @Override
diff --git a/core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java b/core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java
index 7d33ae9d2a9..85301a2a1ff 100644
--- a/core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java
+++ b/core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java
@@ -104,10 +104,6 @@ public class SuppressionHandler extends DefaultHandler {
      * The current node text being extracted from the element.
      */
     private StringBuilder currentText;
-    /**
-     * The suppression rule filter.
-     */
-    private SuppressionRuleFilter filter;
 
     /**
      * Get the value of suppressionRules.
@@ -120,13 +116,9 @@ public List<SuppressionRule> getSuppressionRules() {
 
     /**
      * Constructs a Suppression Handler.
-     *
-     * @param filter The suppression rule filter used when loading the
-     * suppression rules. This is used to differentiate vulnerability
-     * suppression rules from CPE suppression rules.
      */
-    public SuppressionHandler(SuppressionRuleFilter filter) {
-        this.filter = filter;
+    public SuppressionHandler() {
+
     }
 
     /**
@@ -176,8 +168,6 @@ public void endElement(String uri, String localName, String qName) throws SAXExc
                 case SUPPRESS:
                     if (rule.getUntil() != null && rule.getUntil().before(Calendar.getInstance())) {
                         LOGGER.info("Suppression is expired for rule: {}", rule);
-                    } else if (filter != null && filter.filter(rule)) {
-                        LOGGER.debug("Filtering {} for {}", rule.toString(), filter.getName());
                     } else {
                         suppressionRules.add(rule);
                     }
diff --git a/core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionParser.java b/core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionParser.java
index ed24a087071..98d89676fc2 100644
--- a/core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionParser.java
+++ b/core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionParser.java
@@ -77,14 +77,13 @@ public class SuppressionParser {
      * contained.
      *
      * @param file an XML file containing suppression rules
-     * @param filter the suppression rule filter
      * @return a list of suppression rules
      * @throws SuppressionParseException thrown if the XML file cannot be parsed
      */
     @SuppressFBWarnings(justification = "try with resource will clenaup the resources", value = {"OBL_UNSATISFIED_OBLIGATION"})
-    public List<SuppressionRule> parseSuppressionRules(File file, SuppressionRuleFilter filter) throws SuppressionParseException {
+    public List<SuppressionRule> parseSuppressionRules(File file) throws SuppressionParseException {
         try (FileInputStream fis = new FileInputStream(file)) {
-            return parseSuppressionRules(fis, filter);
+            return parseSuppressionRules(fis);
         } catch (SAXException | IOException ex) {
             LOGGER.debug("", ex);
             throw new SuppressionParseException(ex);
@@ -96,12 +95,11 @@ public List<SuppressionRule> parseSuppressionRules(File file, SuppressionRuleFil
      * contained.
      *
      * @param inputStream an InputStream containing suppression rules
-     * @param filter a filter to use when loading suppression rules
      * @return a list of suppression rules
      * @throws SuppressionParseException thrown if the XML cannot be parsed
      * @throws SAXException thrown if the XML cannot be parsed
      */
-    public List<SuppressionRule> parseSuppressionRules(InputStream inputStream, SuppressionRuleFilter filter)
+    public List<SuppressionRule> parseSuppressionRules(InputStream inputStream)
             throws SuppressionParseException, SAXException {
         try (
                 InputStream schemaStream13 = FileUtils.getResourceAsStream(SUPPRESSION_SCHEMA_1_3);
@@ -114,7 +112,7 @@ public List<SuppressionRule> parseSuppressionRules(InputStream inputStream, Supp
             final String defaultEncoding = StandardCharsets.UTF_8.name();
             final String charsetName = bom == null ? defaultEncoding : bom.getCharsetName();
 
-            final SuppressionHandler handler = new SuppressionHandler(filter);
+            final SuppressionHandler handler = new SuppressionHandler();
             final SAXParser saxParser = XmlUtils.buildSecureSaxParser(schemaStream13, schemaStream12, schemaStream11, schemaStream10);
             final XMLReader xmlReader = saxParser.getXMLReader();
             xmlReader.setErrorHandler(new SuppressionErrorHandler());
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzerIT.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzerIT.java
index ae0854f2e52..71fd0e9fca3 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzerIT.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzerIT.java
@@ -64,10 +64,9 @@ public void testGetAnalysisPhase() {
      */
     @Test
     public void testAnalyze() throws Exception {
-
-        //File file = new File(this.getClass().getClassLoader().getResource("commons-fileupload-1.2.1.jar").getPath());
+        //as the suppression rules are now a singleton - we must reset the list to cause the new suppression rules to load
+        SuppressionRules.getInstance().list().clear();
         File file = BaseTest.getResourceAsFile(this, "commons-fileupload-1.2.1.jar");
-        //File suppression = new File(this.getClass().getClassLoader().getResource("commons-fileupload-1.2.1.suppression.xml").getPath());
         File suppression = BaseTest.getResourceAsFile(this, "commons-fileupload-1.2.1.suppression.xml");
         getSettings().setBoolean(Settings.KEYS.AUTO_UPDATE, false);
         getSettings().setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
@@ -80,20 +79,20 @@ public void testAnalyze() throws Exception {
             int cpeSize = dependency.getVulnerableSoftwareIdentifiers().size();
             assertTrue(cveSize > 0);
             assertTrue(cpeSize > 0);
-            getSettings().setString(Settings.KEYS.SUPPRESSION_FILE, suppression.getAbsolutePath());
             //as the suppression rules are now a singleton - we must reset the list to cause the new suppression rules to load
             SuppressionRules.getInstance().list().clear();
+            getSettings().setString(Settings.KEYS.SUPPRESSION_FILE, suppression.getAbsolutePath());
             CpeSuppressionAnalyzer instance = new CpeSuppressionAnalyzer();
             instance.initialize(getSettings());
             instance.prepare(engine);
             instance.analyze(dependency, engine);
-            //after adding filtering to the load - the cpe suppression
-            //analyzer no longer suppresses CPEs.
-            //cveSize -= 1;
+
             cpeSize -= 1;
             assertEquals(cveSize, dependency.getVulnerabilities().size());
             assertEquals(cpeSize, dependency.getVulnerableSoftwareIdentifiers().size());
         }
+        //be kind to other tests and cleanup any custom loaded suppression rules for your test.
+        SuppressionRules.getInstance().list().clear();
     }
 
     /**
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzerIT.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzerIT.java
index eef2af0fe42..6162276befe 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzerIT.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzerIT.java
@@ -65,10 +65,10 @@ public void testGetAnalysisPhase() {
      */
     @Test
     public void testAnalyze() throws Exception {
+        //as the suppression rules are now a singleton - we must reset the list to cause the new suppression rules to load
+        SuppressionRules.getInstance().list().clear();
 
-        //File file = new File(this.getClass().getClassLoader().getResource("commons-fileupload-1.2.1.jar").getPath());
         File file = BaseTest.getResourceAsFile(this, "commons-fileupload-1.2.1.jar");
-        //File suppression = new File(this.getClass().getClassLoader().getResource("commons-fileupload-1.2.1.suppression.xml").getPath());
         File suppression = BaseTest.getResourceAsFile(this, "commons-fileupload-1.2.1.suppression.xml");
         getSettings().setBoolean(Settings.KEYS.AUTO_UPDATE, false);
         getSettings().setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
@@ -97,6 +97,8 @@ public void testAnalyze() throws Exception {
             assertEquals(cveSize, dependency.getVulnerabilities().size());
             assertEquals(cpeSize, dependency.getVulnerableSoftwareIdentifiers().size());
         }
+        //be kind to other tests and cleanup any custom loaded suppression rules for your test.
+        SuppressionRules.getInstance().list().clear();
     }
 
     /**
diff --git a/core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIT.java b/core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIT.java
index d03d2dc7a72..73da1d7cc1d 100644
--- a/core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIT.java
+++ b/core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIT.java
@@ -44,6 +44,7 @@
 import org.owasp.dependencycheck.data.update.exception.UpdateException;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.DownloadFailedException;
+import org.owasp.dependencycheck.xml.suppression.SuppressionRules;
 
 /**
  *
@@ -75,6 +76,9 @@ public void testGenerateReport() {
         settings.setBoolean(Settings.KEYS.PRETTY_PRINT, true);
 
         generateReport(settings, writeTo, writeJsonTo, writeHtmlTo, writeJunitTo, writeCsvTo, writeSarifTo, suppressionFile);
+        
+        //be kind to other tests and cleanup any custom loaded suppression rules for your test.
+        SuppressionRules.getInstance().list().clear();
     }
 
     /**
@@ -100,6 +104,8 @@ public void testGenerateNodeAuditReport() {
         settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
 
         generateReport(settings, writeTo, writeJsonTo, writeHtmlTo, writeJunitTo, writeCsvTo, writeSarifTo, suppressionFile);
+        //be kind to other tests and cleanup any custom loaded suppression rules for your test.
+        SuppressionRules.getInstance().list().clear();
     }
 
 
@@ -126,6 +132,8 @@ public void testGenerateRetireJsReport() {
         settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
 
         generateReport(settings, writeTo, writeJsonTo, writeHtmlTo, writeJunitTo, writeCsvTo, writeSarifTo, suppressionFile);
+        //be kind to other tests and cleanup any custom loaded suppression rules for your test.
+        SuppressionRules.getInstance().list().clear();
     }
     /**
      * Generates an XML report containing known vulnerabilities and realistic
@@ -150,6 +158,8 @@ public void testGenerateNodePackageReport() {
         settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
 
         generateReport(settings, writeTo, writeJsonTo, writeHtmlTo, writeJunitTo, writeCsvTo, writeSarifTo, suppressionFile);
+        //be kind to other tests and cleanup any custom loaded suppression rules for your test.
+        SuppressionRules.getInstance().list().clear();
     }
 
 
diff --git a/core/src/test/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandlerTest.java b/core/src/test/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandlerTest.java
index e678fd3dd67..f304112eff3 100644
--- a/core/src/test/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandlerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandlerTest.java
@@ -48,7 +48,7 @@ public void testHandler() throws Exception {
         File file = BaseTest.getResourceAsFile(this, "suppressions.xml");
         InputStream schemaStream = BaseTest.getResourceAsStream(this, "schema/suppression.xsd");
 
-        SuppressionHandler handler = new SuppressionHandler(null);
+        SuppressionHandler handler = new SuppressionHandler();
         SAXParser saxParser = XmlUtils.buildSecureSaxParser(schemaStream);
         XMLReader xmlReader = saxParser.getXMLReader();
         xmlReader.setErrorHandler(new SuppressionErrorHandler());
diff --git a/core/src/test/java/org/owasp/dependencycheck/xml/suppression/SuppressionParserTest.java b/core/src/test/java/org/owasp/dependencycheck/xml/suppression/SuppressionParserTest.java
index a0a4f3b7e1a..106b00e170e 100644
--- a/core/src/test/java/org/owasp/dependencycheck/xml/suppression/SuppressionParserTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/xml/suppression/SuppressionParserTest.java
@@ -40,7 +40,7 @@ public void testParseSuppressionRulesV1dot0() throws Exception {
         //File file = new File(this.getClass().getClassLoader().getResource("suppressions.xml").getPath());
         File file = BaseTest.getResourceAsFile(this, "suppressions.xml");
         SuppressionParser instance = new SuppressionParser();
-        List<SuppressionRule> result = instance.parseSuppressionRules(file, null);
+        List<SuppressionRule> result = instance.parseSuppressionRules(file);
         Assert.assertEquals(5, result.size());
     }
 
@@ -53,7 +53,7 @@ public void testParseSuppressionRulesV1dot1() throws Exception {
         //File file = new File(this.getClass().getClassLoader().getResource("suppressions.xml").getPath());
         File file = BaseTest.getResourceAsFile(this, "suppressions_1_1.xml");
         SuppressionParser instance = new SuppressionParser();
-        List<SuppressionRule> result = instance.parseSuppressionRules(file, null);
+        List<SuppressionRule> result = instance.parseSuppressionRules(file);
         Assert.assertEquals(5, result.size());
     }
 
@@ -66,7 +66,7 @@ public void testParseSuppressionRulesV1dot2() throws Exception {
         //File file = new File(this.getClass().getClassLoader().getResource("suppressions.xml").getPath());
         File file = BaseTest.getResourceAsFile(this, "suppressions_1_2.xml");
         SuppressionParser instance = new SuppressionParser();
-        List<SuppressionRule> result = instance.parseSuppressionRules(file, null);
+        List<SuppressionRule> result = instance.parseSuppressionRules(file);
         Assert.assertEquals(4, result.size());
     }
 
@@ -79,7 +79,7 @@ public void testParseSuppressionRulesV1dot3() throws Exception {
         //File file = new File(this.getClass().getClassLoader().getResource("suppressions.xml").getPath());
         File file = BaseTest.getResourceAsFile(this, "suppressions_1_3.xml");
         SuppressionParser instance = new SuppressionParser();
-        List<SuppressionRule> result = instance.parseSuppressionRules(file, null);
+        List<SuppressionRule> result = instance.parseSuppressionRules(file);
         Assert.assertEquals(4, result.size());
     }
 }

From 01678095bc117c632e6e34680dce3bb1c5e06a02 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Wed, 17 Aug 2022 06:14:11 -0400
Subject: [PATCH 21/25] remove unused interface

---
 .../analyzer/AbstractSuppressionAnalyzer.java | 14 +++++--
 .../suppression/SuppressionRuleFilter.java    | 42 -------------------
 2 files changed, 11 insertions(+), 45 deletions(-)
 delete mode 100644 core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRuleFilter.java

diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
index b045550c5c6..248564ca87e 100644
--- a/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
+++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
@@ -43,7 +43,6 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.xml.sax.SAXException;
-import org.owasp.dependencycheck.xml.suppression.SuppressionRuleFilter;
 import org.owasp.dependencycheck.xml.suppression.SuppressionRules;
 
 /**
@@ -53,7 +52,7 @@
  * @author Jeremy Long
  */
 @ThreadSafe
-public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer implements SuppressionRuleFilter {
+public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
 
     /**
      * The Logger for use throughout the class.
@@ -123,7 +122,7 @@ protected void analyzeDependency(Dependency dependency, Engine engine) throws An
         if (rules.isEmpty()) {
             return;
         }
-        int ctr =0;
+        int ctr = 0;
         for (SuppressionRule rule : rules.list()) {
             if (filter(rule)) {
                 ctr++;
@@ -132,6 +131,15 @@ protected void analyzeDependency(Dependency dependency, Engine engine) throws An
         }
     }
 
+    /**
+     * Determines whether or not to filter a suppression rule.
+     *
+     * @param rule the suppression rule to evaluate
+     * @return <code>true</code> if the rule should be filtered; otherwise
+     * <code>true</code>
+     */
+    abstract boolean filter(SuppressionRule rule);
+
     /**
      * Loads all the suppression rules files configured in the {@link Settings}.
      *
diff --git a/core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRuleFilter.java b/core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRuleFilter.java
deleted file mode 100644
index 01607c7fc97..00000000000
--- a/core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRuleFilter.java
+++ /dev/null
@@ -1,42 +0,0 @@
-/*
- * This file is part of dependency-check-core.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * Copyright (c) 2021 Jeremy Long. All Rights Reserved.
- */
-package org.owasp.dependencycheck.xml.suppression;
-
-/**
- * A simple suppression rule filter.
- *
- * @author Jeremy Long
- */
-public interface SuppressionRuleFilter {
-
-    /**
-     * Determines whether or not to filter a suppression rule.
-     *
-     * @param rule the suppression rule to evaluate
-     * @return <code>true</code> if the rule should be filtered; otherwise
-     * <code>true</code>
-     */
-   boolean filter(SuppressionRule rule);
-
-    /**
-     * Returns the name of the filter.
-     *
-     * @return the name of the filters
-     */
-   String getName();
-}

From c0ce698fd3ed54f9867e8e97977ad94142182a00 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Thu, 18 Aug 2022 06:59:49 -0400
Subject: [PATCH 22/25] Update
 core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java

Co-authored-by: Hans Aikema <aikebah-github@aikebah.net>
---
 .../dependencycheck/analyzer/AbstractSuppressionAnalyzer.java   | 2 --
 1 file changed, 2 deletions(-)

diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
index 248564ca87e..d233eedcad9 100644
--- a/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
+++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
@@ -122,10 +122,8 @@ protected void analyzeDependency(Dependency dependency, Engine engine) throws An
         if (rules.isEmpty()) {
             return;
         }
-        int ctr = 0;
         for (SuppressionRule rule : rules.list()) {
             if (filter(rule)) {
-                ctr++;
                 rule.process(dependency);
             }
         }

From 071dde7ff15b9a3016185a5505aab22e94f5e99f Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Thu, 18 Aug 2022 07:00:06 -0400
Subject: [PATCH 23/25] Update
 core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java

Co-authored-by: Hans Aikema <aikebah-github@aikebah.net>
---
 .../analyzer/AbstractSuppressionAnalyzer.java               | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
index d233eedcad9..4f0a53c7ed0 100644
--- a/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
+++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
@@ -130,11 +130,11 @@ protected void analyzeDependency(Dependency dependency, Engine engine) throws An
     }
 
     /**
-     * Determines whether or not to filter a suppression rule.
+     * Determines whether a suppression rule should be retained when filtering a set of suppression rules for a concrete suppression analyzer.
      *
      * @param rule the suppression rule to evaluate
-     * @return <code>true</code> if the rule should be filtered; otherwise
-     * <code>true</code>
+     * @return <code>true</code> if the rule should be retained; otherwise
+     * <code>false<code>
      */
     abstract boolean filter(SuppressionRule rule);
 

From 58ef8c7e9e946b30f549f437d97cdba3420b684a Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Thu, 18 Aug 2022 07:02:07 -0400
Subject: [PATCH 24/25] remove un-needed code

---
 .../xml/suppression/SuppressionHandler.java                | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java b/core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java
index 85301a2a1ff..3ea7aebbf3c 100644
--- a/core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java
+++ b/core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java
@@ -114,13 +114,6 @@ public List<SuppressionRule> getSuppressionRules() {
         return suppressionRules;
     }
 
-    /**
-     * Constructs a Suppression Handler.
-     */
-    public SuppressionHandler() {
-
-    }
-
     /**
      * Handles the start element event.
      *

From 596b237baa27ad0d5eada24bd70c0f45e348f971 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Thu, 18 Aug 2022 07:22:41 -0400
Subject: [PATCH 25/25] fix javadoc

---
 .../dependencycheck/analyzer/AbstractSuppressionAnalyzer.java   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
index 5fff4539863..d5c2ed3a8af 100644
--- a/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
+++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
@@ -135,7 +135,7 @@ protected void analyzeDependency(Dependency dependency, Engine engine) throws An
      *
      * @param rule the suppression rule to evaluate
      * @return <code>true</code> if the rule should be retained; otherwise
-     * <code>false<code>
+     * <code>false</code>
      */
     abstract boolean filter(SuppressionRule rule);