DependencyCheck
DependencyCheck copied to clipboard
Fix #4671
Fixes Issue
#4670, #4671, #4677, #4690
Description of Change
Suppress all CVEs filed against those Python pet projects as per https://github.com/github/securitylab/issues/669#issuecomment-1189337273. As the discussion in #4671 showed we will likely not succeed suppressing the CVEs surgically i.e. only those that really really cause conflict -> suppress'em all.
Anything missing here? I'd like to wait with rebasing until it's its turn to get merged to avoid having to do that over and over again.
Rather than suppressing every individual CVE (including future ones), wouldn't it be better to suppress the CPE?
the CPE
There's as many CPEs as CVEs involved here. AFAIU suppressing one isn't better than the other but I'd happy to hear arguments that prove me wrong. With https://github.com/github/securitylab/issues/669#issuecomment-1189337273 @skavanagh went to great length to document that pretty much every one of those CVEs is pointless.
There's as many CPEs as CVEs involved here
Ah, my mistake. I though they had more in common than just _project
.
I am interested in finding out whether the maintainers @jeremylong and @aikebah are planning on eventually merging this or whether I should close it.
Yes - I will likely be merging this before the next release. I haven't had as much time to focus on ODC as I have in the past due to a new job and needing to ramp up on a new platform, etc.
I've been considering several things with this event and will likely add some stories for the 8.0.0 release. Possibly creating a suppression file hosted on GitHub that will be able to be updated faster then the packaged release - so we can add suppressions to the hosted file and suppress things like this for a broader community in-between full releases. This would also including improving the issue-ops around false positives to assist in updating the hosted suppression file...
creating a suppression file hosted on GitHub that will be able to be updated faster then the packaged release
I can imagine this would certainly be very welcome by this community.