DependencyCheck
DependencyCheck copied to clipboard
jeremylong
Log when non-base suppressions rules are unused
Supersedes #4687
Fixes https://github.com/jeremylong/DependencyCheck/issues/4685
This might be useful to some - a log message has been added when a non-base suppression rule was not used.
Need to get my head around the why, but it appears to break the suppression of https://github.com/jeremylong/DependencyCheck/commit/83e0f647912716a71b58306a7368809cb967d796
causing integration-test 629 to fail as cbor gets bundled with ion as the CVE is no longer suppressed for ion
I've been off and on looking at this as time permits - I haven't been able to figure out why this PR breaks 629 and does not suppress the CVE for ion...
I've been off and on looking at this as time permits - I haven't been able to figure out why this PR breaks 629 and does not suppress the CVE for ion...
Added a few pieces of targeted debugging and finally got around the root-cause... the singleton is reused in CPESuppressionAnalyzer and VulnerabilitySuppressionAnalyzer, so rather that 55 CVE suppressions + 3 vulnerabilityName suppressions the VulnerabilitySuppressionAnalyzer runs with the same 508 CPE suppression rules that the CPESuppressionAnalyzer uses
[WARNING] CpeSuppressionAnalyzer with 508 suppressionRules
...
[WARNING] VulnerabilitySuppressionAnalyzer with 508 suppressionRules
The base suppressions have 560 rules, 49 contain only CVEs, 3 only vulnerabiltyNames, 502 only CPE and 6 a mixture of CPE and CVE. So out of the 58 rules that VulnerabilitySuppressionAnalyzer should take into account only the 6 that also have CPE suppressions are taken into account.
So filtering out the applicable rules needs to move from rules-loading to suppression processing evaluation or we need separate CPE and vulnerabilitySuppression ruleset singletons.