Report specific severity

[pedro93]

I haven't been able to find this but is it possible to define in the maven plugin to report CVE vulnerabilities that are of a specific severity or higher?

If this option already exists could you please point me in the right direction? I haven't been able to find it. If it does not exist, I can for example filter the XML output to have only High severity but would like the HTML report to provide to my management.

Is this possible? Thank you.

[stevespringett]

Have a look here: https://jeremylong.github.io/DependencyCheck/dependency-check-maven/configuration.html

You can fail a build based on severity, but there isn't an option to report on vulnerabilities of specific severity or higher. I would imagine it would be possible to create an overly broad suppression file that does this, but considering some of the most notorious vulnerabilities in the past several years have been medium severity (Heartbleed only had a cvss score of 5.0), you might end up missing some rather serious issues with this approach. Also, I believe the vast majority of XSS vulns (when rated with CVSS) will fall under medium severity, so only reporting on high would likely omit entire classes of vulns.

[jeremylong]

It would be possible to setup a suppression file to suppress CVEs below a specified CVSS score:

    <suppress>
        <notes><![CDATA[
        This suppresses all CVE entries that have a score below CVSS 7.
        ]]></notes>
        <cvssBelow>7</cvssBelow>
    </suppress>

See the full example here.

[pedro93]

Thank you both for your input, one final question somewhat related to my problem. Is it possible to aggregate reports generated via the command-line tool?

[jeremylong]

At the moment - no, it is not possible to aggregate reports from the CLI.

[pedro93]

What about generating the html report from the xml output of the CLI?

[jeremylong]

It is completely possible to write code that would combine the XML or JSON reports and then generate a new HTML report. However, that functionality does not exist within dependency-check.

[lock[bot]]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.