DependencyCheck icon indicating copy to clipboard operation
DependencyCheck copied to clipboard
verified publisher icon jeremylong

Suppression with multiple CVE tags will not output as unmatched when there is at least one other CVE that does match

Open Jurrie opened this issue 3 years ago • 0 comments

Describe the bug Since https://github.com/jeremylong/DependencyCheck/issues/4685 the unmatched suppression rules are outputted. I think there is a bug in this logic. When a suppression is listed with multiple CVEs, where 1 CVE will not match, there is no output if there is at least one other CVE that is matched.

Version of dependency-check used The problem occurs using version 7.1.2 of the maven plugin.

To Reproduce Steps to reproduce the behavior:

  1. Download https://jurr.org/owasp_dependency_check/zero_matches_suppression_rules_bug.zip
  2. Unzip
  3. Read README.txt

Expected behavior See the README.txt contained in the zip file.

Jurrie avatar Sep 13 '22 11:09 Jurrie