Vulnerability count doesn't account for suppressed findings

[richardabarker]

Hi, I've installed the prebuilt WAR under apache-tomcat-8.0.33 on Windows 10 and everything looks okay, but when I try to add a dependency to my project or add a component I don't get any entries in the dropdowns.

[stevespringett]

When adding a component, the dropdown is also a text input field, so you can start typing. Once one component is added, the vendor, component name, and version fields will be populated. As you add more components, there will be more choices in the dropdown.

[richardabarker]

Ah, okay. Thanks! So are the false positives that are displayed for, say, OpenSSL 1.0.2g caused by dependency-check? Is there any way to filter them out?

[stevespringett]

Yes, this is caused by dependency-check and can be filtered out using a suppression file. Refer to https://jeremylong.github.io/DependencyCheck/general/suppression.html

Suppressions are global in Dependency-Track, meaning that it's currently not possible to suppress a finding for one application and not another one. The benefit is that you can suppress a finding and all applications with that dependency will now inherent that suppression.

it's been a while since I've worked on the 1.x codebase (the master branch is all 2.x and quite different), but I believe the suppression file goes into ~/.dependency-track directory.

[richardabarker]

Just to follow up for the purposes of anyone else reading this thread - on Windows the file to create is C:\Users\username\dependency-track\data\suppressions.xml.

I can see in the Tomcat output (and in dependency-check-report.html) that the suppressions are being correctly applied and the total as shown by the graph on the Dashboard is correctly excluding the suppressions, but the numbers shown next to the Applications and the CVEs listed on the Vulnerabilities page do not exclude the suppressions.

Is there an easy way to fix this or do I need to edit the database by hand?

(Should I just be using the master branch and building it myself?!)

[stevespringett]

v2.0.0 (in the master branch) is currently in heavy development. I'll make sure this gets fixed in this version.

[richardabarker]

FWIW if I remove the component, restart Tomcat and add it again I get the correct number in the Applications pane, but sadly the Vunerabilities page is still not filtered.

[richardabarker]

(I also couldn't open the database using java -cp ../repo/com/h2database/h2/1.3.176/h2-1.3.176.jar org.h2.tools.Server -tcp -web as I get a "Unique index or primary key violation" error.)

[stevespringett]

FYI, I have branched the project to make the source tree more clear.

• The only stable version (which can also be downloaded in a ready-to-deploy war) is 1.0.x.
• The master and 1.0-stable branches are in sync and should provide an easy way to compile your own war resulting in a working application.
• The 2.0-dev-springboot branch is unstable and has many issues. I do not intend to ever release this version. Just too many issues overall. This work was previously performed in the master branch but has since been reverted and separated to its own branch.
• All new development is being done in the 3.0-dev branch and is a complete rewrite of Dependency-Track from the ground up using modern technologies and an API-first design. It also doesn't rely on Spring.

[lock[bot]]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.