Suppression list to show CVEs that have been found but suppressed #7573
Comments
|
The suppressed findings are in the HTML report (and maybe the XML/JSON - I'd have to double check, but I know they are in the HTML). There is a section that is hidden |
|
I didn't know about an HTML report. We run the plugin in Jenkins through mvn org.owasp:dependency-check-maven:check . Is there a way to get the -f HTML into that ? |
|
@bodhi-one HTML report is by default created for the maven plugin. If you don't have it in your case than most likely the plugin configuration has been modified to not create it. So you'd have to add the HTML format to the formats configured. |
|
Ok, we had set json in the parent pom.xml for the oswap plugin. When I remove that I do start seeing dependency-check-report.html files in the target directory of the project which Jenkins had used maven to build. This is good. But, in that report I don't see any list of suppressed CVEs (I need to run more projects). My main question now is do we know how this dependency-check-report.html can (if even possible) be output in the Jenkins UI where the Dependecy-Check icon is on the left side navigation panel. It seems to show a completely different output.
I guess what I'd really like to see is that any suppressed CVEs that are found in the current project also are output during that long section in here: 12:51:58 [INFO] Suppression Rule had zero matches: SuppressionRule{cve={https://github.com/advisories/GHSA-84q7-p226-4x5w,}} Would that be an enhancement? |
|
ok, now seeing that changing the format to xml makes the information for Dependency in Jenkins appear. |
|
Would still like to see suppressed dependencies in the text output of the plugin. Should I create an enhancement request? |
|
I'd suggest leaving the JSON report in in the parent pom (it's likely to be consumed by some post-processing in your builds), and add the HTML report. ...
<configuration>
...
<formats>JSON,HTML<formats>
</configuration>
...Don't know whether the DependencyCheck icon in the Jenkins sidebar is from the Jenkins plugin (which is not maintained in this repo, but has the references to their issue tracker and github repo listed at https://plugins.jenkins.io/dependency-check-jenkins-plugin/) or that it is your own organisation's local sidebar link. On the main page of the Jenkins plugin I don't see any hint regarding a DependencyCheck link in the sidebar so it might also be some special from your organisation. The HTML report contains Javascript, so it will not properly render directly from the Jenkins workspace (due to Jenkins' security measure of a strict content-security-policy not allowing the inline javascript of the report to execute); you'd have to download it from there to your local system to be able to expand the Suppressed vulnerabilities section. You could also look at the JSON report, it also contains the suppressed vulnerabilities (as do the XML and JUnit reports) In the JSON Report you find it in a property In the XML Report in a In the JUnit report as a 'skipped testcase' in the 'testsuite' representing the vulnerable dependency |
Is there a configuration option to have the plugin show which CVEs it found but that have been suppressed? This would be really useful for those looking to remove old suppressions.
The output we get always (AFAIK) only has suppressions not found.
12:51:58 [INFO] Suppression Rule had zero matches: SuppressionRule{cve={CVE-2017-7656,}}
12:51:58 [INFO] Suppression Rule had zero matches: SuppressionRule{cve={CVE-2017-9735,}}
12:51:58 [INFO] Suppression Rule had zero matches: SuppressionRule{cve={CVE-2019-10241,}}
The text was updated successfully, but these errors were encountered: