androidowaspsuppressionowasp-dependency-checkowasp-dependency-track

Writing exclude configs for dependancy check


I am using https://github.com/dependency-check/dependency-check-gradle in my Android project.

Where I want to exclude these dependencies

ant-1.10.9.jar (pkg:maven/org.apache.ant/ant@1.10.9, cpe:2.3:a:apache:ant:1.10.9:*:*:*:*:*:*:*) : CVE-2021-36373, CVE-2021-36374
ant-antlr-1.10.9.jar (pkg:maven/org.apache.ant/ant-antlr@1.10.9, cpe:2.3:a:apache:ant:1.10.9:*:*:*:*:*:*:*) : CVE-2021-36373, CVE-2021-36374
ant-junit-1.10.9.jar (pkg:maven/org.apache.ant/ant-junit@1.10.9, cpe:2.3:a:apache:ant:1.10.9:*:*:*:*:*:*:*) : CVE-2021-36373, CVE-2021-36374
ant-launcher-1.10.9.jar (pkg:maven/org.apache.ant/ant-launcher@1.10.9, cpe:2.3:a:apache:ant:1.10.9:*:*:*:*:*:*:*) : CVE-2021-36373, CVE-2021-36374
bcpkix-jdk15on-1.56.jar (pkg:maven/org.bouncycastle/bcpkix-jdk15on@1.56, cpe:2.3:a:bouncycastle:bouncy_castle_for_java:1.56:*:*:*:*:*:*:*) : CVE-2023-33202
bcprov-jdk15on-1.56.jar (pkg:maven/org.bouncycastle/bcprov-jdk15on@1.56, cpe:2.3:a:bouncycastle:bouncy-castle-crypto-package:1.56:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:bouncy_castle_crypto_package:1.56:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:bouncy_castle_for_java:1.56:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.56:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.56:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:the_bouncy_castle_crypto_package_for_java:1.56:*:*:*:*:*:*:*) : CVE-2018-1000180, CVE-2024-29857, CVE-2017-13098, CVE-2020-15522, CVE-2024-30171, CVE-2020-0187, CVE-2023-33202, CVE-2020-26939, CVE-2023-33201
commons-compress-1.20.jar (pkg:maven/org.apache.commons/commons-compress@1.20, cpe:2.3:a:apache:commons_compress:1.20:*:*:*:*:*:*:*) : CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090, CVE-2024-25710
commons-io-2.4.jar (pkg:maven/commons-io/commons-io@2.4, cpe:2.3:a:apache:commons_io:2.4:*:*:*:*:*:*:*) : CVE-2021-29425

For excluding ant-1.10.9.jar I tried following config

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
    <suppress>
        <notes><![CDATA[
        This suppresses a specific cve for any test.jar in any directory.
        ]]></notes>
        <packageUrl regex="false">^pkg:maven/org\.apache\.ant/ant@1.10.9</packageUrl>
        <vulnerabilityName>CVE-2021-36373, CVE-2021-36374</vulnerabilityName>
    </suppress>
    <suppress>
        <notes><![CDATA[
        This suppresses any jboss:jboss cpe for any test.jar in any directory.
        ]]></notes>
        <filePath regex="true">ant-1.10.9.jar</filePath>
        <cpe>cpe:/2.3:a:apache:ant:1.10.9:*:*:*:*:*:*:*</cpe>
    </suppress>
</suppressions>

In above config, I tried both rules for same dependancy to verify which rule can work. But both are not working and I get following output in gradle

Suppression Rule had zero matches: SuppressionRule{packageUrl=PropertyType{value=^pkg:maven/org\.apache\.ant/ant@1.10.9, regex=false, caseSensitive=false},vulnerabilityName={PropertyType{value=CVE-2021-36373, CVE-2021-36374, regex=false, caseSensitive=false},}}
Suppression Rule had zero matches: SuppressionRule{filePath=PropertyType{value=ant-1.10.9.jar, regex=false, caseSensitive=false},cpe={PropertyType{value=cpe:/2.3:a:apache:ant, regex=false, caseSensitive=false},}}

Kindly help into configurations


Solution

  • If you html report, that use to be presents at /build/reports/dependency-check-report.html.

    Then scroll down on this report. You will see some info similar to below screenshots

    enter image description here

    Then tap on suppress. You will see the code that you are looking for. See the screenshot below, that I see when I press on suppress

    enter image description here