New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enhance Suppression Analyzer to suppress based on GAV #124

Closed
colezlaw opened this Issue May 13, 2014 · 2 comments

Comments

Projects
None yet
2 participants
@colezlaw
Contributor

colezlaw commented May 13, 2014

In a lot of cases, GAV will be more accurate than some of the other types of analysis we do, and could be more broad than a single SHA1, yet more accurate than a filePath regex. Would be nice to be able to use GAV criteria in suppressions.

To get to this point, it might be helpful if the POM analyzer included the GAV as an identifier. Right now, only the Nexus analyzer produces a GAV identifier.

@jeremylong

This comment has been minimized.

Show comment
Hide comment
@jeremylong

jeremylong May 13, 2014

Owner

Good idea. For implementation I'd suggest we make the Jar Analyzer add the
GAV as an identifier (not hyper-linked, and of low confidence) and then if
the Nexus analyzer finds the same GAV - we just update the GAV (adding the
hyperlink and upping the confidence).

On Tue, May 13, 2014 at 7:42 AM, colezlaw notifications@github.com wrote:

In a lot of cases, GAV will be more accurate than some of the other types
of analysis we do, and could be more broad than a single SHA1, yet more
accurate than a filePath regex. Would be nice to be able to use GAV
criteria in suppressions.

To get to this point, it might be helpful if the POM analyzer included the
GAV as an identifier. Right now, only the Nexus analyzer produces a GAV
identifier.


Reply to this email directly or view it on GitHubhttps://github.com/jeremylong/DependencyCheck/issues/124
.

Owner

jeremylong commented May 13, 2014

Good idea. For implementation I'd suggest we make the Jar Analyzer add the
GAV as an identifier (not hyper-linked, and of low confidence) and then if
the Nexus analyzer finds the same GAV - we just update the GAV (adding the
hyperlink and upping the confidence).

On Tue, May 13, 2014 at 7:42 AM, colezlaw notifications@github.com wrote:

In a lot of cases, GAV will be more accurate than some of the other types
of analysis we do, and could be more broad than a single SHA1, yet more
accurate than a filePath regex. Would be nice to be able to use GAV
criteria in suppressions.

To get to this point, it might be helpful if the POM analyzer included the
GAV as an identifier. Right now, only the Nexus analyzer produces a GAV
identifier.


Reply to this email directly or view it on GitHubhttps://github.com/jeremylong/DependencyCheck/issues/124
.

@jeremylong

This comment has been minimized.

Show comment
Hide comment
@jeremylong

jeremylong May 14, 2014

Owner

The patch for the JarAnalyzer and NexusAnalyzer have been completed. Still need to update the suppression.xsd and make it possible to suppress based off of a GAV. This will likely be done as part of the update for issue #123 as the schema will need to be updated slightly to support this change too.

Owner

jeremylong commented May 14, 2014

The patch for the JarAnalyzer and NexusAnalyzer have been completed. Still need to update the suppression.xsd and make it possible to suppress based off of a GAV. This will likely be done as part of the update for issue #123 as the schema will need to be updated slightly to support this change too.

jeremylong added a commit that referenced this issue Jun 22, 2014

added support for suppression by GAV (issue #124), created base suppr…
…ession.xml (issue #123), and fixed false positives related to spring security (issue #130)

@jeremylong jeremylong closed this Jun 22, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment