dependency-check-gradle icon indicating copy to clipboard operation
dependency-check-gradle copied to clipboard

Published 20 hours ago verified publisher icon dependency-check

Suppression per subproject for :dependencyCheckAggregate task

Open dzwicker opened this issue 5 years ago • 1 comments

For me it looks like in an aggregation build it is only possible to define "global" suppressions, right?

But I believe it should be possible to define suppressions on a per subproject as any CVE can be suppressed for one project but for another projects it should be handelt by a developer.

In the HTML report the project and scope information is listed so the suppression file must provide a project (and the scope information).

Don't know how complex it is to use this information in the analyser to suppress only if project and scope matches (or on or both are empty -> matches everywhere).

dzwicker avatar Nov 27 '19 05:11 dzwicker

This would not be a trivial implementation. Most of the information used to suppress findings is not known until well after the dependencies for each project/scope are collected.

jeremylong avatar Jan 02 '20 00:01 jeremylong