I am using https://github.com/dependency-check/dependency-check-gradle in my Android project.
Where I want to exclude these dependencies
ant-1.10.9.jar (pkg:maven/org.apache.ant/ant@1.10.9, cpe:2.3:a:apache:ant:1.10.9:*:*:*:*:*:*:*) : CVE-2021-36373, CVE-2021-36374
ant-antlr-1.10.9.jar (pkg:maven/org.apache.ant/ant-antlr@1.10.9, cpe:2.3:a:apache:ant:1.10.9:*:*:*:*:*:*:*) : CVE-2021-36373, CVE-2021-36374
ant-junit-1.10.9.jar (pkg:maven/org.apache.ant/ant-junit@1.10.9, cpe:2.3:a:apache:ant:1.10.9:*:*:*:*:*:*:*) : CVE-2021-36373, CVE-2021-36374
ant-launcher-1.10.9.jar (pkg:maven/org.apache.ant/ant-launcher@1.10.9, cpe:2.3:a:apache:ant:1.10.9:*:*:*:*:*:*:*) : CVE-2021-36373, CVE-2021-36374
bcpkix-jdk15on-1.56.jar (pkg:maven/org.bouncycastle/bcpkix-jdk15on@1.56, cpe:2.3:a:bouncycastle:bouncy_castle_for_java:1.56:*:*:*:*:*:*:*) : CVE-2023-33202
bcprov-jdk15on-1.56.jar (pkg:maven/org.bouncycastle/bcprov-jdk15on@1.56, cpe:2.3:a:bouncycastle:bouncy-castle-crypto-package:1.56:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:bouncy_castle_crypto_package:1.56:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:bouncy_castle_for_java:1.56:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.56:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.56:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:the_bouncy_castle_crypto_package_for_java:1.56:*:*:*:*:*:*:*) : CVE-2018-1000180, CVE-2024-29857, CVE-2017-13098, CVE-2020-15522, CVE-2024-30171, CVE-2020-0187, CVE-2023-33202, CVE-2020-26939, CVE-2023-33201
commons-compress-1.20.jar (pkg:maven/org.apache.commons/commons-compress@1.20, cpe:2.3:a:apache:commons_compress:1.20:*:*:*:*:*:*:*) : CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090, CVE-2024-25710
commons-io-2.4.jar (pkg:maven/commons-io/commons-io@2.4, cpe:2.3:a:apache:commons_io:2.4:*:*:*:*:*:*:*) : CVE-2021-29425
For excluding ant-1.10.9.jar I tried following config
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress>
<notes><![CDATA[
This suppresses a specific cve for any test.jar in any directory.
]]></notes>
<packageUrl regex="false">^pkg:maven/org\.apache\.ant/ant@1.10.9</packageUrl>
<vulnerabilityName>CVE-2021-36373, CVE-2021-36374</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
This suppresses any jboss:jboss cpe for any test.jar in any directory.
]]></notes>
<filePath regex="true">ant-1.10.9.jar</filePath>
<cpe>cpe:/2.3:a:apache:ant:1.10.9:*:*:*:*:*:*:*</cpe>
</suppress>
</suppressions>
In above config, I tried both rules for same dependancy to verify which rule can work. But both are not working and I get following output in gradle
Suppression Rule had zero matches: SuppressionRule{packageUrl=PropertyType{value=^pkg:maven/org\.apache\.ant/ant@1.10.9, regex=false, caseSensitive=false},vulnerabilityName={PropertyType{value=CVE-2021-36373, CVE-2021-36374, regex=false, caseSensitive=false},}}
Suppression Rule had zero matches: SuppressionRule{filePath=PropertyType{value=ant-1.10.9.jar, regex=false, caseSensitive=false},cpe={PropertyType{value=cpe:/2.3:a:apache:ant, regex=false, caseSensitive=false},}}
Kindly help into configurations
If you html report, that use to be presents at /build/reports/dependency-check-report.html
.
Then scroll down on this report. You will see some info similar to below screenshots
Then tap on suppress. You will see the code that you are looking for. See the screenshot below, that I see when I press on suppress