Open savornicesei opened 5 years ago
jeremylong
commented
5 years ago The suppression file contains a notes element that would allow you to specify why the suppression rule exists: https://github.com/jeremylong/DependencyCheck/blob/354fef169487788aa2a515aa49c5efd45040c08a/core/src/main/resources/schema/dependency-suppression.1.2.xsd#L39
With regard to the suppression rule specifying versions - I'll have to consider that for a future release.
savornicesei
commented
5 years ago Thanks @jeremylong ! I haven't noticed the notes element.
Guess another improvement would be to document the suppresion schema file and automatically generate html documentation files...
Best, Simo
tstibbs
commented
5 years ago @savornicesei it should be fairly simple to write an XSLT that turns the suppression xml into HTML I guess?
Hi,
I have several CVEs reported for Microsoft.SqlServer.Types.dll (from NuGet) that do not apply to the version that I use (latest, 14.x.x). So I've added them to the suppresion file.
What I would like to add to the suppresion file is:
reason why the CVE is suppressed (not applying to SQL Server 2014 in my case)
min. version of the assembly for which suppression applies (for example, a CVE could affect SQL Server 2014, but not SQL Server 2014 SP1 - so one version of Microsoft.SqlServer.Types.dll could be safe, while an earlier one not).
Thank you, Simo