search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.41k stars 1.27k forks source link

Cannot report related dependencies at a time #6728

Open ninianxing opened 4 months ago

ninianxing commented 4 months ago

Hi there, I have an issue as follows.

When I discover a vulnerable dependency that I have confirmed is a false positive, I utilize a suppression file to suppress it. However, after rescanning, I often find new vulnerable dependencies that are related to the previously suppressed one. Consequently, I have to repeatedly scan the project and add new suppression rules to my suppression file.

My question is: How can I efficiently obtain all vulnerable dependencies and their respective suppression rules from the report in a single iteration?

Thank you for your time. I'm looking forward to your response urgently.

jeremylong commented 4 months ago

When creating the suppression rule using the HTML report you could look at the report for the "related dependencies" and manually update the suppression rule to include the additional items.

OrangeDog commented 4 months ago

It depends what the false positives are and how you're suppressing them.

If the problem is misidentification of a library or vendor, then write a rule that matches every component you're using, and the whole vendor of CPEs that it isn't. Don't over-fit to version numbers or file hashes.