Option to skip low confidence and/or low severity checks

[dlg99]

trafficstars

Is your feature request related to a problem? Please describe.

For some dependencies OWASP dep checker finds CVEs with low confidence, I'd like to suppress them all by confidence level. This will allow concentrating on things that matter instead of filling the suppression file with stuff like https://github.com/apache/pulsar/blob/2285d02aa9957af7877b9d3d3c628a750d813ca7/src/owasp-dependency-check-suppressions.xml#L337-L354 and a few others in the same suppression file.

Also suppressing low severity (or by severity below level N) will allow more smooth introduction of the dep checker into the CI.

Describe the solution you'd like

Options for maven and gradle plugins to specify min confidence level and min severity level, autosuppress otherwise. Do not show CVEs below these min on the report.

Describe alternatives you've considered

not using owasp dep checker

[schattenbaum]

In addition to @dlg99's idea, I would like to propose putting a vulnerability's confidence into the vulnerability's level within the report. Currently, it is on level dependency, which in my eyes, does not make much sense. This change would probably also simplify the implementation of this feature request.

[ptrussart]

I would be very interested in such feature, as you sometimes can drown yourself into the list of vulnerabilities. Did you come up with a workaround to be able to work while the feature is not available ?