OWASP Dependency check, how to use suppressions

Asked 1/10, 2021 at 10:54 Answered 12/9, 2023 at 10:3

Solved java security continuous-integration owasp suppression

I have a build in CI failing on a the OWASP dependency check. For example

[HIGH] CVE-2021-37136 - io.netty:netty-codec-4.1.66.Final

I understand I can add a suppression in owaspDependencyCheckSuppressions.xml to fix this.

It's something I haven't done before, but there is a guide here - https://jeremylong.github.io/DependencyCheck/general/suppression.html which says ...

"Suppressing these false positives is fairly easy using the HTML report. In the report next to each CPE identified (and on CVE entries) there is a suppress button. Clicking the suppression button will create a dialogue box which you can simple hit Control-C to copy the XML that you would place into a suppression XML file"

I have 2 questions

#1 Do you know where I can find this HTML report? I thought it might be linked in CI (I'm using Circle CI), but I can't spot it there :(

#2 An example suppression is given in the guide

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
   <suppress>
      <notes><![CDATA[
      file name: some.jar
      ]]></notes>
      <sha1>66734244CE86857018B023A8C56AE0635C56B6A1</sha1>
      <cpe>cpe:/a:apache:struts:2.0.0</cpe>
   </suppress>
</suppressions>

The guide goes on to say

"The above XML file will suppress the cpe:/a:apache:struts:2.0.0 from any file with the a matching SHA1 hash."

What is meant by "any file"? Does this mean any Java class which uses the dependency?

Thanks :)

Chili answered 1/10, 2021 at 10:54 Comment(0)

Below answer is based on gradle OWASP plugin version 7.4.4.

Below in my build.gradle

id "org.owasp.dependencycheck" version "7.4.4"

And below is the task configuration

dependencyCheck {
    formats = ['xml','json']
    failBuildOnCVSS = 8
    failOnError = true
    suppressionFile = 'config/dependency-check/suppressions.xml'
    check.dependsOn(dependencyCheckAnalyze)
}

And as you see we have provided a path to suppressionFile where we can define the suppression for vulnerabilities.

So, in my case our sonar build was failing due to

Filename: spring-security-oauth2-client-5.6.3.jar | Reference: CVE-2022-22978 | CVSS Score: 9.8

Filename: snakeyaml-1.33.jar | Reference: CVE-2022-1471 | CVSS Score: 9.8

So, I have added them in Suppression.xml and my file looks like below

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
    <suppress until="2023-06-01Z">
        <notes><![CDATA[
        This suppresses a CVE from SnakeYaml as it needs to wait until SpringBoot 3 upgrade
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
        <vulnerabilityName>CVE-2022-1471</vulnerabilityName>
    </suppress>
    <suppress until="2023-06-01Z">
        <notes><![CDATA[
        This suppresses a CVE from OAuth Client as it needs to wait until SpringBoot 3 upgrade
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-oauth2\-client@.*$</packageUrl>
        <vulnerabilityName>CVE-2022-22978</vulnerabilityName>
    </suppress>
</suppressions>

I recommend to use until="2023-06-01Z" so you don't suppress them forever.

Vulnerabilities can be suppressed in number of different combinations. So, please refer https://jeremylong.github.io/DependencyCheck/general/suppression.html and decide which option suits your requirement.

Mopes answered 15/3, 2023 at 14:48 Comment(2)

What is the meaning of the ´@´ in the packageUrl? I can't find a description. – Treacle 7/2 at 13:2

@Treacle If you want to suppress dependency in a particular version of jar you use @ followed by the version or .* Or simply just use snakeyaml.* – Mopes 8/2 at 9:25

#1 Click on the 'artifacts' tab on the OWASP dependency check task in CI and the html report is there.

#2 'File' in this context means the file inside the jar that is warranting the dependency issue. It will be given to you in the html report.

Chili answered 2/10, 2021 at 21:10 Comment(1)

The failure can also be suppressed by adding the failing test name to .trivyignore eg/CVE-2021-37136 – Chili 4/10, 2021 at 9:24

You can use Dependency Shield that streamlines management of the false positives.

Residentiary answered 22/5, 2023 at 15:12 Comment(0)

If you are looking for how to suppress from Jenkins job using the dependency check plug in, use --suppression <path to suppression file> in additionalArgumentsalong with the dependencycheck script.

steps{
       dependencycheck additionalArguments: "--suppression owasp-suppression.xml --noupdate  --disableAssembly --disableRetireJS --scan ./target/*.jar", odcInstallation: 'slave'
     }

Eavesdrop answered 12/9, 2023 at 10:3 Comment(0)

Recommended topics

Hot tags