search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.46k stars 1.28k forks source link

fix(fp): Consolidate duplicate jetcd suppression and ensure considered base suppressions #7137

Closed chadlwilson closed 2 weeks ago

chadlwilson commented 2 weeks ago

Description of Change

The change in #7117 failed to mark the suppressions as base which makes them show up incorrectly as unused suppressions in user runs.

Suppression Rule had zero matches: SuppressionRule{packageUrl=PropertyType{value=^pkg:maven/io\.etcd/jetcd-[a-z]*@.*$, regex=true, caseSensitive=false},cpe={PropertyType{value=cpe:/a:redhat:etcd, regex=false, caseSensitive=false},PropertyType{value=cpe:/a:etcd:etcd, regex=false, caseSensitive=false},}}
Suppression Rule had zero matches: SuppressionRule{packageUrl=PropertyType{value=^pkg:maven/io\.etcd/jetcd-grpc@.*$, regex=true, caseSensitive=false},cpe={PropertyType{value=cpe:/a:grpc:grpc, regex=false, caseSensitive=false},}}

Additionally consolidates a duplicate earlier suppression and uses .* to handle other dependencies like jetcd-blah-blah.

FYI @joannakotula :-)

Have test cases been added to cover the new functionality?

N/A