pmckeown
Functionality to suppress CVEs
A good function to have is the ability to suppress certain CVEs, so that they are shown as suppressed on the Dependency Track server, without any manual interaction with the web-app, and thus won't be considered for the findings goals if it is configured to fail the build.
A way to implement this would be adding a configuration where you can have a list of CVEs, with additional info as state, justification and details. This suppression would be triggered while uploading a BOM, so that all further goals after the upload get the actual list of findings.
I think it's better to add a VEX (Vulnerability Exploitability Exchange) upload and Dependency-Track supports that. There is an API call for this: /api/v1/vex Here you can find some examples of VEX files: https://github.com/CycloneDX/bom-examples/tree/master/VEX
I think that would be a better solution as it is not a proprietary extension.
I'm not sure if this is what I need for my use-case. In my pipeline I generate a new BOM (with the cyclonedx-maven-plugin), upload it to Dependency-Track, suppress the CVE's that were already analysed, then finally execute the findings-goal, which would fail the pipeline if the findings are higher than the corresponding thresholds. I don't need the analysed vulnerabilities to be found in the findings again.
If I understand the principle of VEX correctly, I would need to reference the BOM, which in my case has a different reference each time, within the VEX for each vulnerability that I need to be suppressed in the "affects" block. Can I generate such a VEX within the pipeline after the upload, or am I understanding something wrong?
@kpe09 sorry for the delay in responding. I need to find time to look into this requirement and think about how this can be applied within the tool to broadly fit various use cases.
@kpe09 Yes, you can upload a VEX file after uploading your BOM file. But it is important, that you don't collect the findings before the VEX upload is completed and processed. I used the VEX file as a replacement for the OWASP dependency check suppression file.
Here is a small example VEX file to suppress a false positive.
{
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"version": 1,
"metadata" : {
"timestamp" : "2024-11-22T00:00:00Z",
"component" : {
"type" : "library",
"bom-ref" : "pkg:maven/ch.qos.logback.access/[email protected]?type=jar",
"group" : "ch.qos.logback.access",
"name" : "common",
"version": "2.0.3",
"description" : "Logback Access Common module",
"purl" : "pkg:maven/ch.qos.logback.access/[email protected]?type=jar"
}
},
"vulnerabilities": [
{
"id": "CVE-2015-5723",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5723"
},
"analysis": {
"state": "false_positive",
"response": ["will_not_fix"],
"detail": "Statement: false_positive - invalid cpe pattern matching (doctrine-project:common pattern mismatch)"
},
"affects": [
{
"ref": "pkg:maven/ch.qos.logback.access/[email protected]?type=jar"
}
]
}
]
}
Another Maven plugin with its own suppression file can be found here: https://github.com/iabudiab/dependency-track-maven-plugin But I prefer the standard VEX file format.
Oh, I found a fork with VEX Upload. ;-) https://github.com/lonewalker0/dependency-track-maven-plugin
This definitely sounds like functionality that people will find useful. I am keen to add it but would prefer to go with the VEX format as its a standard.
Unfortunately I have very limited time these days, so will only happen through a Pull Request. I be happily review and test any submissions and release it into the plugin if works and meets the existing code standards and formatting.
PS. The fork linked above does much more than I need.
I'd like to keep the VEX fie in repository and just upload it before checking the findings (so that suppressed findings don't fail the build)