DependencyCheck icon indicating copy to clipboard operation
DependencyCheck copied to clipboard

Published 20 hours ago verified publisher icon jeremylong

Fix #4671

Open marcelstoer opened this issue 1 year ago • 7 comments

Fixes Issue

#4670, #4671, #4677, #4690

Description of Change

Suppress all CVEs filed against those Python pet projects as per https://github.com/github/securitylab/issues/669#issuecomment-1189337273. As the discussion in #4671 showed we will likely not succeed suppressing the CVEs surgically i.e. only those that really really cause conflict -> suppress'em all.

marcelstoer avatar Jul 21 '22 11:07 marcelstoer

Anything missing here? I'd like to wait with rebasing until it's its turn to get merged to avoid having to do that over and over again.

marcelstoer avatar Jul 28 '22 15:07 marcelstoer

Rather than suppressing every individual CVE (including future ones), wouldn't it be better to suppress the CPE?

OrangeDog avatar Aug 01 '22 15:08 OrangeDog

the CPE

There's as many CPEs as CVEs involved here. AFAIU suppressing one isn't better than the other but I'd happy to hear arguments that prove me wrong. With https://github.com/github/securitylab/issues/669#issuecomment-1189337273 @skavanagh went to great length to document that pretty much every one of those CVEs is pointless.

marcelstoer avatar Aug 01 '22 16:08 marcelstoer

There's as many CPEs as CVEs involved here

Ah, my mistake. I though they had more in common than just _project.

OrangeDog avatar Aug 01 '22 16:08 OrangeDog

I am interested in finding out whether the maintainers @jeremylong and @aikebah are planning on eventually merging this or whether I should close it.

marcelstoer avatar Aug 01 '22 18:08 marcelstoer

Yes - I will likely be merging this before the next release. I haven't had as much time to focus on ODC as I have in the past due to a new job and needing to ramp up on a new platform, etc.

I've been considering several things with this event and will likely add some stories for the 8.0.0 release. Possibly creating a suppression file hosted on GitHub that will be able to be updated faster then the packaged release - so we can add suppressions to the hosted file and suppress things like this for a broader community in-between full releases. This would also including improving the issue-ops around false positives to assist in updating the hosted suppression file...

jeremylong avatar Aug 02 '22 09:08 jeremylong

creating a suppression file hosted on GitHub that will be able to be updated faster then the packaged release

I can imagine this would certainly be very welcome by this community.

marcelstoer avatar Aug 02 '22 11:08 marcelstoer