javasecuritycontinuous-integrationowaspsuppression

OWASP Dependency check, how to use suppressions


I have a build in CI failing on a the OWASP dependency check. For example

[HIGH] CVE-2021-37136 - io.netty:netty-codec-4.1.66.Final

I understand I can add a suppression in owaspDependencyCheckSuppressions.xml to fix this.

It's something I haven't done before, but there is a guide here - https://jeremylong.github.io/DependencyCheck/general/suppression.html which says ...

"Suppressing these false positives is fairly easy using the HTML report. In the report next to each CPE identified (and on CVE entries) there is a suppress button. Clicking the suppression button will create a dialogue box which you can simple hit Control-C to copy the XML that you would place into a suppression XML file"

I have 2 questions

#1 Do you know where I can find this HTML report? I thought it might be linked in CI (I'm using Circle CI), but I can't spot it there :(

#2 An example suppression is given in the guide

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
   <suppress>
      <notes><![CDATA[
      file name: some.jar
      ]]></notes>
      <sha1>66734244CE86857018B023A8C56AE0635C56B6A1</sha1>
      <cpe>cpe:/a:apache:struts:2.0.0</cpe>
   </suppress>
</suppressions>

The guide goes on to say

"The above XML file will suppress the cpe:/a:apache:struts:2.0.0 from any file with the a matching SHA1 hash."

What is meant by "any file"? Does this mean any Java class which uses the dependency?

Thanks :)


Solution

  • Below answer is based on gradle OWASP plugin version 7.4.4.

    Below in my build.gradle

    id "org.owasp.dependencycheck" version "7.4.4"
    

    And below is the task configuration

    dependencyCheck {
        formats = ['xml','json']
        failBuildOnCVSS = 8
        failOnError = true
        suppressionFile = 'config/dependency-check/suppressions.xml'
        check.dependsOn(dependencyCheckAnalyze)
    }
    

    And as you see we have provided a path to suppressionFile where we can define the suppression for vulnerabilities.

    So, in my case our sonar build was failing due to

    Filename: spring-security-oauth2-client-5.6.3.jar | Reference: CVE-2022-22978 | CVSS Score: 9.8
    
    Filename: snakeyaml-1.33.jar | Reference: CVE-2022-1471 | CVSS Score: 9.8
    

    So, I have added them in Suppression.xml and my file looks like below

    <?xml version="1.0" encoding="UTF-8"?>
    <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
        <suppress until="2023-06-01Z">
            <notes><![CDATA[
            This suppresses a CVE from SnakeYaml as it needs to wait until SpringBoot 3 upgrade
            ]]></notes>
            <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
            <vulnerabilityName>CVE-2022-1471</vulnerabilityName>
        </suppress>
        <suppress until="2023-06-01Z">
            <notes><![CDATA[
            This suppresses a CVE from OAuth Client as it needs to wait until SpringBoot 3 upgrade
            ]]></notes>
            <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-oauth2\-client@.*$</packageUrl>
            <vulnerabilityName>CVE-2022-22978</vulnerabilityName>
        </suppress>
    </suppressions>
    

    I recommend to use until="2023-06-01Z" so you don't suppress them forever.

    Vulnerabilities can be suppressed in number of different combinations. So, please refer https://jeremylong.github.io/DependencyCheck/general/suppression.html and decide which option suits your requirement.