Describe the bug
I updated the gradle plugin to the latest. Here is our configuration:
apply plugin: 'org.owasp.dependencycheck'
dependencyCheck {
// Fail the build when there is a finding with "medium" severity.
failBuildOnCVSS = 4
// Only check the compile classpath and ignore findings in other configurations.
scanConfigurations = ['debugCompileClasspath', 'acceptanceCompileClasspath', 'productionCompileClasspath']
suppressionFiles = ["${rootDir}/extra/owasp.suppression.xml"]
}
After the first run, there are some findings that are false positive for our case. I used html suppress button to generate XML and added to owasp suppression:
<suppress>
<notes><![CDATA[
Suppress jackson that is dependency for Safened.
It is not used since Safened communication are happening from our BE
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson-databind@.*$
</packageUrl>
<cve>CVE-2019-12814</cve>
</suppress>
<suppress>
<notes><![CDATA[
Suppress jackson that is dependency for Safened.
It is not used since Safened communication are happening from our BE
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson-databind@.*$
</packageUrl>
<cpe>cpe:/a:fasterxml:jackson</cpe>
</suppress>
<suppress>
<notes><![CDATA[
Suppress jackson that is dependency for Safened.
It is not used since Safened communication are happening from our BE
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson-databind@.*$
</packageUrl>
<cpe>cpe:/a:fasterxml:jackson-databind</cpe>
</suppress>
Next run is still generating these errors:
> Task :common-category:dependencyCheckAggregate
Generating report for project common-category
Found 1 vulnerabilities in project common-category
One or more dependencies were identified with known vulnerabilities in common-category:
jackson-databind-2.9.9.jar (pkg:maven/com.fasterxml.jackson.core/[email protected], cpe:2.3:a:fasterxml:jackson:2.9.9:*:*:*:*:*:*:*, cpe:2.3:a:fasterxml:jackson-databind:2.9.9:*:*:*:*:*:*:*) : CVE-2019-12814
See the dependency-check report for more details.
Version of dependency-check used
The problem occurs using version 5.1.0 gradle plugin.
Log file
See a bit of it above.
To Reproduce
Steps to reproduce the behavior - see above.
Expected behavior
No findings after suppression.
Additional context
We run check with gradle task:
./gradlew dependencyCheckAggregate --no-configure-on-demand
Describe the bug
I updated the gradle plugin to the latest. Here is our configuration:
After the first run, there are some findings that are false positive for our case. I used html
suppressbutton to generate XML and added to owasp suppression:Next run is still generating these errors:
Version of dependency-check used
The problem occurs using version 5.1.0 gradle plugin.
Log file
See a bit of it above.
To Reproduce
Steps to reproduce the behavior - see above.
Expected behavior
No findings after suppression.
Additional context
We run check with gradle task: