owaspowasp-dependency-track

Dependency-Track is forgetting suppressions on vulnerabilities


I included dependency track in my build-pipeline with:

mvn cyclonedx:makeAggregateBom dependency-track:upload-bom

My maven project is configured like this:

<plugin>
    <groupId>io.github.pmckeown</groupId>
    <artifactId>dependency-track-maven-plugin</artifactId>
    <version>1.5.0</version>
    <configuration>
        <dependencyTrackBaseUrl>https://dependency-track.<my-company.com></dependencyTrackBaseUrl>
        <apiKey>${env.DEPENDENCY_TRACK_API_KEY}</apiKey>
        <failOnError>true</failOnError>
        <pollingConfig>
            <pause>2</pause>
            <attempts>30</attempts>
        </pollingConfig>
    </configuration>
</plugin>

This all works fine and I get the analysis results in dependency-track.

Now I suppress some found vulnerabilities in dependency-track, because they do not affect my project.

Some time later (I think not immediately) dependency-track seems to forget some of the suppressions and shows the vulnerabilities again.

This in particular happens with the spring-security-web:5.7.8 dependency: enter image description here

Is there something wrong with how I call dependency-track? Or is it more likely misconfigured?


Solution

  • I had a similar problem. I use the same tool as you (cdxgen) to generate the SBOM and then pass this SBOM to Dependency Track. In my case, all these steps are jobs in a pipeline which is run frequently. I tried to troubleshoot the issue and this was the scenario that lead to it:

    I opened this issue and looks like it is fixed now, just upgrade to the latest version.