jeremylong
commented
3 years ago This would be somewhat complicated. In some cases a transitive dependency can also be a primary dependency.
Closed elzibubble closed 3 years ago
jeremylong
commented
3 years ago This would be somewhat complicated. In some cases a transitive dependency can also be a primary dependency.
jeremylong
commented
3 years ago After consideration - we do not have any plans to implement this feature.
Is your feature request related to a problem? Please describe. My (Clojure) project uses the Jackdaw library, which has Multiple immediate and transitive dependency issues and hence requires many suppressions. One of them is Netty which has a ton of pieces to it.
Describe the solution you'd like An element to group suppressions with a shared
untilandnotes. I use the notes field to detail why the library can't be upgraded and so it's usually the same for the whole group.Describe alternatives you've considered The Netty pieces could be lumped together in a single regex as they're conveniently named but this is only a partial solution.
Additional context Ideally I'd love it if DependencyCheck could accept/obtain a dependency tree and allow CVEs to be suppressed for the immediate dependency. EG I would list all the sub-dependency CVEs under Jackdaw. There is a risk of over-suppressing here but presumably you have no way to upgrade the library already. This sounds like quite a bit of work to implement though and if the dependency tree info has to be passed in, it would require support from tool plugins like
lein-nvd-check.