Description
We add a suppression when really needed but at some point the suppression may become unnecessary. For example the dependency is updated (often the issue is hidden in a transitive dependency) or it is identified as a false positive and is no longer needed after a plugin update.
When we do an upgrade of our core dependencies every 3 weeks or an upgrade of the dependency check plugin we manually remove all suppressions and put back the ones we need.
This is to keep our suppression list as small as possible since we need to review them periodically.
But this cleaning process is time consuming and error prone.
Suggested Improvement
It'd be great to have a flag on the plugin that would report suppressions that are no longer needed. Then we could remove them more easily.
Other Options Considered
We considered adding an "until" date to each suppression but we don't want false positives or vulnerabilities that are not applicable to our software to reappear in future.
We only use "until" when we really have an issue and want to temporarily suppress to allow builds anyway.
Description
We add a suppression when really needed but at some point the suppression may become unnecessary. For example the dependency is updated (often the issue is hidden in a transitive dependency) or it is identified as a false positive and is no longer needed after a plugin update.
When we do an upgrade of our core dependencies every 3 weeks or an upgrade of the dependency check plugin we manually remove all suppressions and put back the ones we need.
This is to keep our suppression list as small as possible since we need to review them periodically.
But this cleaning process is time consuming and error prone.
Suggested Improvement
It'd be great to have a flag on the plugin that would report suppressions that are no longer needed. Then we could remove them more easily.
Other Options Considered
We considered adding an "until" date to each suppression but we don't want false positives or vulnerabilities that are not applicable to our software to reappear in future.
We only use "until" when we really have an issue and want to temporarily suppress to allow builds anyway.