fix(fp): correct validator:validator and pkg:maven/co.elastic.apm/.* hosted suppressions#8525
Merged
nhumblot merged 2 commits intoMay 22, 2026
Conversation
Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
This was referenced May 20, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Updates generated suppression rules by simplifying package URL regex patterns in generatedSuppressions.xml to broaden/adjust matching for known false positives.
Changes:
- Modified Maven packageUrl suppression regex for
co.elastic.apm. - Modified generic packageUrl suppression regex with a negative lookahead exception list.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
Collaborator
Author
|
@jeremylong @nhumblot can one of you please take a look at this? These couple of regressions are still getting multiple comments and FP reports coming in. |
nhumblot
approved these changes
May 22, 2026
| ]]></notes> | ||
| <packageUrl regex="true">^pkg:nuget/Microsoft\.AspNet\.TelemetryCorrelation@.*$</packageUrl> | ||
| <cpe regex="true">cpe:/a:microsoft:asp.net(:.*)?$</cpe> | ||
| <cpe regex="true">cpe:/a:microsoft:asp\.net(:.*)?$</cpe> |
Collaborator
Author
There was a problem hiding this comment.
Yeah sorry for not highlighting this as clearly.
| FP per issues #3876, #7998 | ||
| ]]></notes> | ||
| <packageUrl regex="true">^pkg:maven/co\.elastic\.apm/(:.*)?$</packageUrl> | ||
| <packageUrl regex="true">^pkg:maven/co\.elastic\.apm/.*</packageUrl> |
| ]]></notes> | ||
| <packageUrl regex="true">^pkg:maven/org\.eclipse\.core/org\.eclipse\.core\.expressions@.*$</packageUrl> | ||
| <cpe regex="true">cpe:/a:eclipse:org.eclipse.core.runtime(:.*)?$</cpe> | ||
| <cpe regex="true">cpe:/a:eclipse:org\.eclipse\.core\.runtime(:.*)?$</cpe> |
| ]]></notes> | ||
| <packageUrl regex="true">^pkg:maven/org\.spdx/spdx-java-model-2_X@.*$</packageUrl> | ||
| <cpe regex="true">cpe:/a:x.org:x.org(:.*)?$</cpe> | ||
| <cpe regex="true">cpe:/a:x\.org:x\.org(:.*)?$</cpe> |
| FP per issue #8243, #8244, #8247, #8249 | ||
| ]]></notes> | ||
| <packageUrl regex="true">^pkg:(?!maven/nu\.validator/validator@|npm/vnu-jar)(:.*)?$</packageUrl> | ||
| <packageUrl regex="true">^pkg:(?!maven/nu\.validator/validator@|npm/vnu-jar).*</packageUrl> |
nhumblot
merged commit 1227b8e
into
dependency-check:generatedSuppressions
2 checks passed
Collaborator
Author
|
Thank you sir 🫡 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description of Change
Another minor regression due to #8522. I was sure I had sanity checked the diff hunks to make sure only
<cpe>lines were changed when converting to regex. Obviously messed something up.This reverts the package URL matchers to how they were before being accidentally changed; and corrects a few regex
.-escaping nitpicks.Related issues
Have test cases been added to cover the new functionality?
This time I have
git diffed to before all these changes to double-check only intended<cpe>rules have a delta with before.