dependency-check-maven - suppression not working

I'm trying to whitelist certain libraries where the risk has been acknowledged - ideally I'd like to do this from inside the pom.xml itself, but it appears this isn't possible.

I've created a simple project with a dependency (H2) which has an outstanding CVE, and dependency-check-maven configured with a suppressions file to ignore that dependecy, using the XML generated from the Dependency-Check-Report

pom.xml:

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <groupId>org.me</groupId>
    <artifactId>test</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <build>
        <plugins>
            <plugin>
                <groupId>org.owasp</groupId>
                <artifactId>dependency-check-maven</artifactId>
                <version>6.5.3</version>
                <configuration>
                    <suppressionFile>path\to\owasp-suppressions.xml</suppressionFile>
                    <failBuildOnCVSS>8</failBuildOnCVSS>
                </configuration>
                <executions>
                    <execution>
                        <goals>
                            <goal>check</goal>
                        </goals>
                    </execution>
                </executions>
            </plugin>
        </plugins>
    </build>
    <dependencies>
        <dependency>
            <groupId>com.h2database</groupId>
            <artifactId>h2</artifactId>
            <version>1.4.200</version>
        </dependency>
    </dependencies>
</project>

owasp-suppressions.xml:

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
   <suppress>
      <notes><![CDATA[
      file name: h2-1.4.200.jar
      ]]></notes>
      <packageUrl regex="true">^pkg:maven/com\.h2database/h2@.*$</packageUrl>
      <cpe>cpe:/a:h2database:h2</cpe>
   </suppress>
</suppressions>

But despite this the build still fails:

[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  6.703 s
[INFO] Finished at: 2022-01-12T14:26:58Z
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:6.5.3:check (default) on project test: 
[ERROR] 
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '8.0': 
[ERROR] 
[ERROR] h2-1.4.200.jar: CVE-2021-23463

Could anyone advise what I've done wrong, please?


Solution 1:

I verified on my machine. When I run your code it fails indeed. Then I use the html output and the "suppress" code generator. However it generates a slightly different code for me than you provided. And with that code it works fine. So maybe a case of tired copy-pasting and then editing and messing with it?

However, this works here for me:

  <suppress>
    <notes>
      <![CDATA[
      file name: h2-1.4.200.jar
      ]]>
    </notes>
    <packageUrl regex="true">^pkg:maven/com\.h2database/h2@.*$</packageUrl>
    <vulnerabilityName>CVE-2021-23463</vulnerabilityName>
  </suppress>

Looking at your comment. I investigated a bit more. No suppression gave me 2 identifiers:

  • pkg:maven/com.h2database/[email protected] (Confidence:High)
  • cpe:2.3:a:h2database:h2:1.4.200:::::::* (Confidence:Highest)

Then suppressing by cpe as in your example reduced it and showed only:

That one has no "suppression generation button". I tried by sha, and filePath, but it turns out that does not combine with cpe. It fails to parse the xml.

However we can combine suppression by vulnerability with filePath, that way you can still suppress only the specific jars you want. And maybe even better: supressing the specific CVE in the specific jar. Like so:

  <suppress>
    <notes>
      <![CDATA[
      file name: h2-1.4.200.jar
      ]]>
    </notes>
    <filePath regex="true">.*\/h2database.*\.jar</filePath>
    <vulnerabilityName>CVE-2021-23463</vulnerabilityName>
  </suppress>

NB I removed the packageUrl tag as well, apparently that does not combine either.