8

I have a build in CI failing on a the OWASP dependency check. For example

[HIGH] CVE-2021-37136 - io.netty:netty-codec-4.1.66.Final

I understand I can add a suppression in owaspDependencyCheckSuppressions.xml to fix this.

It's something I haven't done before, but there is a guide here - https://jeremylong.github.io/DependencyCheck/general/suppression.html which says ...

"Suppressing these false positives is fairly easy using the HTML report. In the report next to each CPE identified (and on CVE entries) there is a suppress button. Clicking the suppression button will create a dialogue box which you can simple hit Control-C to copy the XML that you would place into a suppression XML file"

I have 2 questions

#1 Do you know where I can find this HTML report? I thought it might be linked in CI (I'm using Circle CI), but I can't spot it there :(

#2 An example suppression is given in the guide

<?xml version="1.0" encoding="UTF-8"?> <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd"> <suppress> <notes><![CDATA[ file name: some.jar ]]></notes> <sha1>66734244CE86857018B023A8C56AE0635C56B6A1</sha1> <cpe>cpe:/a:apache:struts:2.0.0</cpe> </suppress> </suppressions>

The guide goes on to say

"The above XML file will suppress the cpe:/a:apache:struts:2.0.0 from any file with the a matching SHA1 hash."

What is meant by "any file"? Does this mean any Java class which uses the dependency?

Thanks :)

Improve this question

5 Answers 5

Reset to default
5

Below answer is based on gradle OWASP plugin version 7.4.4.

Below in my build.gradle

id "org.owasp.dependencycheck" version "7.4.4"

And below is the task configuration

dependencyCheck { formats = ['xml','json'] failBuildOnCVSS = 8 failOnError = true suppressionFile = 'config/dependency-check/suppressions.xml' check.dependsOn(dependencyCheckAnalyze) }

And as you see we have provided a path to suppressionFile where we can define the suppression for vulnerabilities.

So, in my case our sonar build was failing due to

Filename: spring-security-oauth2-client-5.6.3.jar | Reference: CVE-2022-22978 | CVSS Score: 9.8 Filename: snakeyaml-1.33.jar | Reference: CVE-2022-1471 | CVSS Score: 9.8

So, I have added them in Suppression.xml and my file looks like below

<?xml version="1.0" encoding="UTF-8"?> <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd"> <suppress until="2023-06-01Z"> <notes><![CDATA[ This suppresses a CVE from SnakeYaml as it needs to wait until SpringBoot 3 upgrade ]]></notes> <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl> <vulnerabilityName>CVE-2022-1471</vulnerabilityName> </suppress> <suppress until="2023-06-01Z"> <notes><![CDATA[ This suppresses a CVE from OAuth Client as it needs to wait until SpringBoot 3 upgrade ]]></notes> <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-oauth2\-client@.*$</packageUrl> <vulnerabilityName>CVE-2022-22978</vulnerabilityName> </suppress> </suppressions>

I recommend to use until="2023-06-01Z" so you don't suppress them forever.

Vulnerabilities can be suppressed in number of different combinations. So, please refer https://jeremylong.github.io/DependencyCheck/general/suppression.html and decide which option suits your requirement.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

What is the meaning of the ´@´ in the packageUrl? I can't find a description.
@not2savvy If you want to suppress dependency in a particular version of jar you use @ followed by the version or .* Or simply just use snakeyaml.*
3

#1 Click on the 'artifacts' tab on the OWASP dependency check task in CI and the html report is there.

#2 'File' in this context means the file inside the jar that is warranting the dependency issue. It will be given to you in the html report.

Improve this answer

1 Comment

The failure can also be suppressed by adding the failing test name to .trivyignore eg/CVE-2021-37136
0

You can use Dependency Shield that streamlines management of the false positives.

Improve this answer

Comments

0

If you are looking for how to suppress from Jenkins job using the dependency check plug in, use --suppression <path to suppression file> in additionalArgumentsalong with the dependencycheck script.

steps{ dependencycheck additionalArguments: "--suppression owasp-suppression.xml --noupdate --disableAssembly --disableRetireJS --scan ./target/*.jar", odcInstallation: 'slave' }
Improve this answer

Comments

0

NOTE: The following solution was applied to my configuration for OWASP Dependency-Check utility version 12.1.0 on Windows. The documentation and online examples list a different configuration so I did not consider the following because I assumed the documentation at minimum would note this change/difference. Unsure if this is a Windows-specific issue or maybe it is only for version 12.1.0.

If you are attempting to add a suppression that uses a regex to find similarly-named files in your app's folders and subfolders, use the characters \\ to denote the directory separator (\) instead of the characters \b.

<suppress> <notes><![CDATA[ file name: some.jar ]]></notes> <filePath regex="true">.*\\some\.jar</filePath> <cpe>cpe:/a:apache:struts:2.0.0</cpe> </suppress>

If you follow the original convention of using the characters \b to denote the directory separator (\), you may see an error similar to the following:

Suppression Rule had zero matches: SuppressionRule{filePath=PropertyType{value=.*\bsome\.dll, regex=true, caseSensitive=false},cpe={PropertyType{value=cpe:/a:apache:struts:2.0.0, regex=false, caseSensitive=false},}}
Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.