Suppression with only filePath doesn't filter matches

[astellingwerf]

A suppression can be specified by just a filePath element. The XSD doesn't require any of the cpe, cve, cwe or cvssBelow elements. If such a rule is specified, I would expect the file to be ignored, but the implementation is not so. It turns out, the implementation does expect at least one of the for elements, or the suppression will not have any effect.

Example:

<suppressions xmlns='https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression'>
  <suppress>
    <notes><![CDATA[Excluding all the jars in axis2.zip]]></notes>
    <filePath regex='true'>^.*\\axis2.zip\\WEB-INF\\lib\\.*$</filePath>
  </suppress>
</suppressions>

[jeremylong]

Apparently I need to update the schema. The intent is that you would always be suppressing a specific CPE or CVE. As such, you could add the following node to get the expected functionality:

        <cpe regex="true">.*</cpe>

[jeremylong]

An updated schema has been created/published and will be used in the next release (1.3.7). The updated schema makes it clear that you must include at least one CPE, CVE, CWE, or CVSSBelow Node.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.