Friday, April 21, 2023

OWASP Dependency Check plugin suppressions.xml examples

Introduction

One of the features of the OWASP dependency check plugin is to be able to suppress reported vulnerabilities, for example because they are false-positives for your configuration, or no new version is available yet, so you want to suppress the alert for a certain period of time.



Those suppressions you specify in the suppressions.xml file. The format is specified here.

But not all possibilities of suppressing have examples. Especially those where you just want to exclude a whole set of packages, e.g. everything of the Spring framework starting with 'spring-', like 'spring-webflux', 'spring-web' etc for a given version.

After some trial and here I came up with some more additional useful examples.

Solution

Setup

  • Kotlin 1.8.10
  • Gradle
  • Spring Boot 2.7.9
  • failBuildOnCVSS set to 7
  • OWASP plugin versions tested: 7.2.1, 8.0.0

Examples

Reported vulnerabilities as HIGH

  • logback-core-1.3.0.jar
  • logback-classic-1.3.0.jar
Suppressions:
  • <packageUrl regex="true">^pkg:maven/ch\.qos\.logback/logback-core@1.3.*$</packageUrl>
    Will not show logback-core anymore in the report as HIGH.

  • <packageUrl regex="true">^pkg:maven/ch\.qos\.logback/logback.*@1.3.*$</packageUrl>
    Will not report neither logback-core nor logback-classic anymore as vulnerabilities.
Full example of the suppression:

    <suppress until="2023-10-01Z">
        <notes><![CDATA[
        No new version exists yet for any version after this version.
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/ch\.qos\.logback/logback.*@1.3.*$</packageUrl>
        <vulnerabilityName>CVE-2021-42550</vulnerabilityName>
    </suppress>


Reported vulnerabilities as HIGH

  • spring-webflux-5.3.25.jar
  • spring-messaging-5.3.25.jar
Suppressions:
    • <packageUrl regex="true">^pkg:maven/org\.springframework/spring-.*@5.3.25$</packageUrl>
      Will not report neither of the two as vulnerabilities anymore.
    Notice the ".*" used!

    Full example of the suppression:

        <suppress until="2023-10-01Z">
            <notes><![CDATA[
            No new version exists yet for any version after 5.3.26, which has the same issue.
            ]]></notes>
            <packageUrl regex="true">^pkg:maven/org\.springframework/spring-.*@5.3.25$</packageUrl>
            <vulnerabilityName>CVE-2023-20860</vulnerabilityName>
            <vulnerabilityName>CVE-2016-1000027</vulnerabilityName>
        </suppress>


    And here some examples that don't work:
    • <packageUrl regex="true">^pkg:maven/ch\.qos\.logback/logback-*@1.3.*$</packageUrl>
      Shows both logback-core and logback-classic again in the report.

    • <packageUrl regex="true">^pkg:maven/ch\.qos\.logback/logback*@1.3.*$</packageUrl>
      Shows both logback-core and logback-classic again in the report.
    Another thing to know from here: the vulnerabilities report can show an issue as MEDIUM, while the vulnerability reports as a 8.5 in the CVSSv2 ranking, while the CVSSv3 rates it at 6.6. So the report seems to take only the CVSSv3 value into account for the Highest Severity level.