New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add 'suppress until' config to temporarily suppress a vulnerability #1145

Closed
siladu opened this Issue Mar 22, 2018 · 4 comments

Comments

Projects
None yet
3 participants
@siladu

siladu commented Mar 22, 2018

In a situation where we know a dependency vulnerability fix is incoming, it would be nice to not have to remember to un-suppress it.

For example, CVE-2018-7489 is fixed: FasterXML/jackson-databind#1931
but awaiting release: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.5

Example

Proposed new config added to reenable warnings after specified date: <until>2018-04-01</until>

    <suppress>
        <notes><![CDATA[
   file name: jackson-databind-2.9.4.jar
   ]]></notes>
        <gav regex="true">^com\.fasterxml\.jackson\.core:jackson-databind:.*$</gav>
        <cve>CVE-2018-7489</cve>
        <until>2018-04-01</until>
    </suppress>

Similar to https://github.com/unruly/junit-rules/blob/master/README.md#ignore-tests-until-a-certain-date-or-datetime

@jeremylong

This comment has been minimized.

Owner

jeremylong commented Mar 24, 2018

Interesting idea - thanks for the suggestion. It may take us a while to get to this - but PRs are always welcome.

@aikebah

This comment has been minimized.

Contributor

aikebah commented Mar 25, 2018

@jeremylong I'm willing to give this a try.... I'll try to come up with a PR for this

aikebah added a commit to aikebah/DependencyCheck that referenced this issue Mar 25, 2018

aikebah added a commit to aikebah/DependencyCheck that referenced this issue Apr 8, 2018

aikebah added a commit to aikebah/DependencyCheck that referenced this issue Apr 8, 2018

jeremylong added a commit that referenced this issue Apr 8, 2018

@jeremylong

This comment has been minimized.

Owner

jeremylong commented Apr 8, 2018

Note - we still need to update the documentation on this feature. Regardless - Thanks for the PR!

@lock

This comment has been minimized.

lock bot commented Sep 27, 2018

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked and limited conversation to collaborators Sep 27, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.