search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.46k stars 1.28k forks source link

Unused Suppression Rule reporting bundled(?) suppressions #7146

Closed OrangeDog closed 1 week ago

OrangeDog commented 2 weeks ago

Describe the bug

[INFO] Suppression Rule had zero matches: SuppressionRule{packageUrl=PropertyType{value=^pkg:maven/io.etcd/jetcd-[a-z]@.$, regex=true, caseSensitive=false},cpe={PropertyType{value=cpe:/a:redhat:etcd, regex=false, caseSensitive=false},PropertyType{value=cpe:/a:etcd:etcd, regex=false, caseSensitive=false},}} [INFO] Suppression Rule had zero matches: SuppressionRule{packageUrl=PropertyType{value=^pkg:maven/io.etcd/jetcd-grpc@.*$, regex=true, caseSensitive=false},cpe={PropertyType{value=cpe:/a:grpc:grpc, regex=false, caseSensitive=false},}}

Version of dependency-check used The problem occurs using version 11.1.0 of the maven plugin

Log file https://gist.github.com/OrangeDog/c862ee88f715bce8b31aca626acb0d7a

Expected behavior It should only be telling me about my own suppressions.

jeremylong commented 1 week ago

I believe this should have been resolved with #7137. Are you still seeing this?

chadlwilson commented 1 week ago

Folks will still be seeing this until a "legit" FP suppression is published via the Github Actions workflow (PR was merged directly to the generatedSuppressions branch, but such direct PRs don't trigger the publishing right now - only a GHA managed merge does)

Can probably trigger one by approving #7132 which looks like a legit FP.

OrangeDog commented 1 week ago

Yes, it is still happening.

chadlwilson commented 1 week ago

It's fixed now :-)