I have a build in CI failing on a the OWASP dependency check. For example
[HIGH] CVE-2021-37136 - io.netty:netty-codec-4.1.66.Final
I understand I can add a suppression in owaspDependencyCheckSuppressions.xml
to fix this.
It's something I haven't done before, but there is a guide here - https://jeremylong.github.io/DependencyCheck/general/suppression.html which says ...
"Suppressing these false positives is fairly easy using the HTML report. In the report next to each CPE identified (and on CVE entries) there is a suppress button. Clicking the suppression button will create a dialogue box which you can simple hit Control-C to copy the XML that you would place into a suppression XML file"
I have 2 questions
#1 Do you know where I can find this HTML report? I thought it might be linked in CI (I'm using Circle CI), but I can't spot it there :(
#2 An example suppression is given in the guide
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress>
<notes><![CDATA[
file name: some.jar
]]></notes>
<sha1>66734244CE86857018B023A8C56AE0635C56B6A1</sha1>
<cpe>cpe:/a:apache:struts:2.0.0</cpe>
</suppress>
</suppressions>
The guide goes on to say
"The above XML file will suppress the cpe:/a:apache:struts:2.0.0 from any file with the a matching SHA1 hash."
What is meant by "any file"? Does this mean any Java class which uses the dependency?
Thanks :)
Below answer is based on gradle OWASP plugin version 7.4.4.
Below in my build.gradle
id "org.owasp.dependencycheck" version "7.4.4"
And below is the task configuration
dependencyCheck {
formats = ['xml','json']
failBuildOnCVSS = 8
failOnError = true
suppressionFile = 'config/dependency-check/suppressions.xml'
check.dependsOn(dependencyCheckAnalyze)
}
And as you see we have provided a path to suppressionFile where we can define the suppression for vulnerabilities.
So, in my case our sonar build was failing due to
Filename: spring-security-oauth2-client-5.6.3.jar | Reference: CVE-2022-22978 | CVSS Score: 9.8
Filename: snakeyaml-1.33.jar | Reference: CVE-2022-1471 | CVSS Score: 9.8
So, I have added them in Suppression.xml and my file looks like below
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress until="2023-06-01Z">
<notes><![CDATA[
This suppresses a CVE from SnakeYaml as it needs to wait until SpringBoot 3 upgrade
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
<vulnerabilityName>CVE-2022-1471</vulnerabilityName>
</suppress>
<suppress until="2023-06-01Z">
<notes><![CDATA[
This suppresses a CVE from OAuth Client as it needs to wait until SpringBoot 3 upgrade
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-oauth2\-client@.*$</packageUrl>
<vulnerabilityName>CVE-2022-22978</vulnerabilityName>
</suppress>
</suppressions>
I recommend to use until="2023-06-01Z"
so you don't suppress them forever.
Vulnerabilities can be suppressed in number of different combinations. So, please refer https://jeremylong.github.io/DependencyCheck/general/suppression.html and decide which option suits your requirement.