Only do this if you are sure the CVE is a false positive and is no risk to the organisation!
You might want to use one of these resources to decide the severity of the CVE and what action to take:
- https://nvd.nist.gov/vuln
- https://www.cve.org[](https://cve.mitre.org)
- https://ossindex.sonatype.org/
- https://ossindex.sonatype.org/vulnerability/CVE-2022-31159
- https://owasp.org/www-project-dependency-check/
Also, this page contains a full explanation of how to suppress false positives; here is a summary:
- Run OWASP Maven goal: Run this for your project, it should fail:
mvn dependency-check:check-
Although it will have failed it will have generated a report in the target folder of the project:
target/dependency-check-report.html. -
Open the HTML report.
-
Copy the XML snippet: The XML snippet can be found by clicking the (1)
suppressbutton next to the CVE in the report. A dialog opens, use (2) Control-C to copy the snippet.
- Here is another example of an XML snippet:
<suppress>
<notes><![CDATA[
file name: woodstox-core-6.5.1.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.sun\.xml\.bind\.jaxb/isorelax@.*$</packageUrl>
<cve>CVE-2023-34411</cve>
</suppress>-
Open the supressions XML file: Edit this file src/main/resources/owasp-suppressions.xml.
-
Paste the snippet: The XML snippet can be pasted to the end of the file before the
</suppressions>end tag. -
Update pom.xml versions: You need to make 3 changes.
- Update this project's version by editing the pom.xml and increasing the
<version>tag accordingly. - In snomed-parent-bom's pom.xml find this
tag
<snomed-parent-owasp.version>near the top of the file. And set the version to the same as you used in the previous step. - Optional: While editing
the snomed-parent-bom's pom.xml
also increase its
<version>.
- Update this project's version by editing the pom.xml and increasing the