Skip to content

Log when non-base suppressions rules are unused#4709

Merged
aikebah merged 26 commits intomainfrom
logUnusedSuppressionRules
Aug 18, 2022
Merged

Log when non-base suppressions rules are unused#4709
aikebah merged 26 commits intomainfrom
logUnusedSuppressionRules

Conversation

@jeremylong
Copy link
Copy Markdown
Collaborator

@jeremylong jeremylong commented Jul 27, 2022

Supersedes #4687

Fixes jeremylong/DependencyCheck#4685

This might be useful to some - a log message has been added when a non-base suppression rule was not used.

@boring-cyborg boring-cyborg Bot added ant changes to ant core changes to core tests test cases labels Jul 27, 2022
@jeremylong jeremylong mentioned this pull request Jul 27, 2022
Closed
@jeremylong jeremylong added this to the 7.1.2 milestone Jul 27, 2022
@jeremylong jeremylong requested a review from aikebah July 27, 2022 11:09
@aikebah
Copy link
Copy Markdown
Collaborator

aikebah commented Aug 1, 2022

Need to get my head around the why, but it appears to break the suppression of jeremylong/DependencyCheck@83e0f64

causing integration-test 629 to fail as cbor gets bundled with ion as the CVE is no longer suppressed for ion

@jeremylong
Copy link
Copy Markdown
Collaborator Author

jeremylong commented Aug 2, 2022

I've been off and on looking at this as time permits - I haven't been able to figure out why this PR breaks 629 and does not suppress the CVE for ion...

@aikebah
Copy link
Copy Markdown
Collaborator

aikebah commented Aug 10, 2022

I've been off and on looking at this as time permits - I haven't been able to figure out why this PR breaks 629 and does not suppress the CVE for ion...

Added a few pieces of targeted debugging and finally got around the root-cause... the singleton is reused in CPESuppressionAnalyzer and VulnerabilitySuppressionAnalyzer, so rather that 55 CVE suppressions + 3 vulnerabilityName suppressions the VulnerabilitySuppressionAnalyzer runs with the same 508 CPE suppression rules that the CPESuppressionAnalyzer uses

[WARNING] CpeSuppressionAnalyzer with 508 suppressionRules
...
[WARNING] VulnerabilitySuppressionAnalyzer with 508 suppressionRules

The base suppressions have 560 rules, 49 contain only CVEs, 3 only vulnerabiltyNames, 502 only CPE and 6 a mixture of CPE and CVE. So out of the 58 rules that VulnerabilitySuppressionAnalyzer should take into account only the 6 that also have CPE suppressions are taken into account.

So filtering out the applicable rules needs to move from rules-loading to suppression processing evaluation or we need separate CPE and vulnerabilitySuppression ruleset singletons.

jeremylong and others added 16 commits August 17, 2022 06:14
@jeremylong
purge github action cache
5bc821b
@dependabot @jeremylong
Bump ossindex-service-client from 1.8.1 to 1.8.2
ea4662c 
Bumps ossindex-service-client from 1.8.1 to 1.8.2.

---
updated-dependencies:
- dependency-name: org.sonatype.ossindex:ossindex-service-client
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
@marcelstoer @jeremylong
Extend Quarkus Liquibase pattern
f255f92 
This extends the existing regex to also cover all Quarkus
Liquibase artifacts. See https://regex101.com/r/2xOJwo/1
for a regex test.

Fixes #4630
@MisaelBustamante @jeremylong
Add FP for parseurl
0d6504e
@MisaelBustamante @aikebah @jeremylong
Apply suggestions from code review
8dc569c 
Co-authored-by: Hans Aikema <[email protected]>
@jeremylong
merge #4703
7e32b9d
@jeremylong
merge #4715
cc66a98
@dependabot @jeremylong
Bump maven-reporting-api from 3.1.0 to 3.1.1
64e2a4a 
Bumps [maven-reporting-api](https://github.com/apache/maven-reporting-api) from 3.1.0 to 3.1.1.
- [Release notes](https://github.com/apache/maven-reporting-api/releases)
- [Commits](apache/maven-reporting-api@maven-reporting-api-3.1.0...maven-reporting-api-3.1.1)

---
updated-dependencies:
- dependency-name: org.apache.maven.reporting:maven-reporting-api
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot @jeremylong
Bump postgresql from 42.4.0 to 42.4.1
7952bb4 
Bumps [postgresql](https://github.com/pgjdbc/pgjdbc) from 42.4.0 to 42.4.1.
- [Release notes](https://github.com/pgjdbc/pgjdbc/releases)
- [Changelog](https://github.com/pgjdbc/pgjdbc/blob/master/CHANGELOG.md)
- [Commits](pgjdbc/pgjdbc@REL42.4.0...REL42.4.1)

---
updated-dependencies:
- dependency-name: org.postgresql:postgresql
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
@albertwangnz @jeremylong
Fix issue 4733. Update the mysql, mssql, postgresql and oracle initia…
a6927ad 
…lize files.
@dependabot @jeremylong
Bump maven-site-plugin from 3.12.0 to 3.12.1
807a813 
Bumps [maven-site-plugin](https://github.com/apache/maven-site-plugin) from 3.12.0 to 3.12.1.
- [Release notes](https://github.com/apache/maven-site-plugin/releases)
- [Commits](apache/maven-site-plugin@maven-site-plugin-3.12.0...maven-site-plugin-3.12.1)

---
updated-dependencies:
- dependency-name: org.apache.maven.plugins:maven-site-plugin
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
@jeremylong
fix vuln count check on test
169d975
@livingwithcode @jeremylong
add yarn.lock to mixedLangSet to enable yarnAuditAnalyzer
82b046a 
yarnAuditAnalyzer cannot be enabled if we don't have yarn.lock is added to mixedLangSet.
@jeremylong
Update maven/src/main/java/org/owasp/dependencycheck/maven/BaseDepend…
e3396cc 
…encyCheckMojo.java
@jeremylong
update test cases to work with the singleton implementation
db56450
@jeremylong
remove unused interface
0167809
@boring-cyborg boring-cyborg Bot added the maven changes to the maven plugin label Aug 17, 2022
@jeremylong jeremylong mentioned this pull request Aug 17, 2022
Closed
aikebah
aikebah requested changes Aug 17, 2022
View reviewed changes
Copy link
Copy Markdown
Collaborator

@aikebah aikebah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, some minor improvements requested

Comment thread core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java Outdated
Comment thread core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java Outdated
Comment thread core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java Outdated
@aikebah aikebah merged commit b4b432a into main Aug 18, 2022
@jeremylong jeremylong deleted the logUnusedSuppressionRules branch August 20, 2022 11:29
@github-actions github-actions Bot locked as resolved and limited conversation to collaborators Dec 21, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@aikebah aikebah aikebah approved these changes

Assignees

No one assigned

Labels

ant changes to ant core changes to core maven changes to the maven plugin tests test cases

Projects

None yet

Milestone

7.1.2

Development

Successfully merging this pull request may close these issues.

Identify suppressions that are no longer needed.

6 participants

@jeremylong @aikebah @marcelstoer @MisaelBustamante @albertwangnz @livingwithcode