timtebeek
commented
1 year ago What will happen with the removed outdated suppressions? Shouldn't we simply update the date because they will appear again?
My understanding from https://jeremylong.github.io/DependencyCheck/general/suppression.html was that suppressed-until-date entries are ignored after that date; which is also why we see them pop up again when we run dependency-vulnerability-reports. The expired entries no longer appear in our reports, so they are then presumably fixed or the CVE since updated to have a narrower scope. If they were still an issue we'd already get those weekly reminders. This PR then is mostly just clearing out expired records such that it's easier to spot which are actually still suppressed.
I've gone a bit more in depth here: https://github.com/openrewrite/rewrite-java-dependencies/issues/24
Given the above would you then be OK to merge this pull request? I'll keep an eye out for any effects with next week's run, but don't expect anything.
Remove outdated suppressions.xml and delay jackson-databind