search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.28k stars 1.26k forks source link

Give an option to suppress vulnerabilities without a CVSS score. #6018

Open thomasredlin opened 10 months ago

thomasredlin commented 10 months ago

Like in the examples, we use a suppression rule that suppresses all vulnerablities below a CVSS score of 7. Our company policy demands that we handle every vulnerability by upgrading the library, adding a suppression rule or by other means.

But oftentimes when there is a new vulnerability, it doesn't have a score yet and we investigate it, only for the vulnerability to receive a score below 7 later on, meaning we could have dismissed it already at the beginning.

Could it be possible to have a suppression rule to suppress all unscored vulnerabilities? That would help us a lot.

Thanks for looking into it!

aikebah commented 10 months ago

I'd need to see some substantial proof for 'oftentimes' to even lightly consider this as an available option, but strongly discouraged practice, as in my exeprience most CVEs start off with a CVSS- or textual rating rather than no rating at all.

If no vulnerability severity rating is available to triage the issue on you should triage yourself and assume for the worst case (CVSS 10) until proven otherwise.

thomasredlin commented 5 months ago

@aikebah You're right. Unfortunately, the case where a CVE was unscored and later on received a score below 7 happened much more often. I guess a more severe or critical CVE will get its score much faster.

Now I just discovered the new CVE-2024-29180 in webpack-dev-middleware with Dependabot in our project. It has a 7.4 score in GHSA but no score in the NVD, so I would have expected it to be listed in our ODC report, but it's not there. We're still on ODC version 8.2.1 (sry should have mentioned it above) so the change in behavior is not with ODC I think.

Do you know if something changed regarding the databases?

thomasredlin commented 5 months ago

However, I still want to provide examples where a CVE was unscored at first, sometimes with no textual description to help triage, or links to actually understand the problem. (You can see it in the change history at NVD)

https://nvd.nist.gov/vuln/detail/CVE-2023-45857 (unscored for 8 days, then 6.5) https://nvd.nist.gov/vuln/detail/CVE-2023-44270 (unscored for 12 days, then 5.3) https://nvd.nist.gov/vuln/detail/CVE-2023-46298 (unscored for 6 days, then 7.5)