search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.49k stars 1.29k forks source link

Hosted Suppressions file: Forced update fallback does not work in case local suppression file is missing #5662

Open profhenry opened 1 year ago

profhenry commented 1 year ago

Describe the bug In case the hosted suppression file is missing on your local machine (for example in the very first run and/or when starting with an empty m2 repo) the hosted suppression file gets never downloaded when you have configured

autoUpdate=false hostedSuppressionsForceUpdate=false

I think it is intended to download the hosted suppression file even in this case. There is even a warning message logged

Hosted Suppressions file is empty or missing - attempting to force the update

But the file gets never downloaded.

Version of dependency-check used I am using the maven plugin in version 8.2.1 but i think the bug is in core (see attached patch).

Log file

INFO] Finished Hint Analyzer (0 seconds) [DEBUG] Initializing CPE Analyzer [INFO] Created CPE Index (1 seconds) [DEBUG] Skipping CPE Analysis for npm [DEBUG] Settings.getDataFile() - file: '[JAR]/../../dependency-check-data/7.0' [DEBUG] Settings.getDataFile() - transforming filename [DEBUG] Settings.getDataFile() - jar file: '/home/jwiesner/.m2/repository/org/owasp/dependency-check-utils/8.2.1' [DEBUG] Settings.getDataFile() - returning: '/home/jwiesner/.m2/repository/org/owasp/dependency-check-utils/8.2.1/../../dependency-check-data/7.0' [WARNING] Hosted Suppressions file is empty or missing - attempting to force the update [DEBUG] Setting: hosted.suppressions.forceupdate='true' [WARNING] Empty Hosted Suppression file after update, results may contain false positives already resolved by the DependencyCheck project due to failed download of the hosted suppression file

To Reproduce Steps to reproduce the behavior:

  1. Delete an already downloaded suppression file or start with an empty m2 repo
  2. Configure the maven plugin to use autoUpdate=false and hostedSuppressionsForceUpdate=false
  3. mvn org.owasp:dependency-check-maven:aggregate

Expected behavior I would expect that the hosted suppression file gets downloaded, stored in the local maven repo and is used for the dependency check.

Additional context Workaround: setting hostedSuppressionsForceUpdate=true works (with the side effect that hosted suppression file gets loaded for every check). See attached patch patch_5662.patch

sanguozhaoyun commented 1 year ago

Same issue happens in dependency-check-maven 8.3.1