Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

support suppression for NPM (and NSP) findings #892

Closed
fuyili opened this issue Sep 21, 2017 · 5 comments
Closed

support suppression for NPM (and NSP) findings #892

fuyili opened this issue Sep 21, 2017 · 5 comments
Labels
enhancement
Milestone
5.1.0

Comments

@fuyili
Copy link

fuyili commented Sep 21, 2017

I know you have mentioned in #714
"NSP findings currently do not support suppressions. I expect this to be an enhancement in the future."

Have this been implemented or can be implemented soon? Now there is a new vulnerability: https://nodesecurity.io/advisories/525 and no fix yet, and we don't want to block our pipeline and would like to temporarily suppress it.
people using the command line can suppress it by adding .nsprc file like this:

{
  "exceptions": ["https://nodesecurity.io/advisories/525"]
}

Is there a way to suppress it in Jenkins plugin?
@stevespringett
Copy link
Collaborator

The current suppression format assumes the source is the NVD. This will need to be made more generic to support NSP and future sources of vulnerability data. Additionally, the NSP reporting may need minor tweaks.

The Jenkins plugin supports the same suppression format as any other Dependency-Check plugin. So, no, NSP cannot be suppressed at this time.

@v6ak
Copy link

v6ak commented Nov 3, 2017

What's the problem with the current suppression format? I guess you can't suppress something without an identifier. The mentioned vulnerability does not have any CVE assigned, so it might be hard. But we could identify them as, say, NODESECURITY-525. The only issue I see with this approach is that ODC currently supports at most one identifier, so you can either use NODESECURITY-xxx for all those vulnerabilities (drawback: you skip CVE even if it is available) or you can use NODESECURITY-xxx only if CVE is not available (drawback: CVE id might be assigned eventually, so reported vulnerability id might change, which might break some suppressions).

@mvarblow
Copy link

@fuyili mentioned that people using the command line can suppress NSP findings using a .nsprc file. I can't find any mention of this or a reference to it in the source code. Any detail on how this works? Does the .nsprc file have to be placed in a specific folder?

@jeremylong
Copy link
Owner

@mvarblow the .nsprc file is used with the NSP command line tool - not dependency-check. See https://github.com/nodesecurity/nsp.

@pioto pioto mentioned this issue Jul 18, 2018
Closed
@stevespringett stevespringett mentioned this issue Feb 18, 2019
Closed
@stevespringett stevespringett changed the title support suppression for NSP findings support suppression for NPM (and NSP) findings Feb 18, 2019
@isaguimiot
Copy link

Hi @jeremylong , any news on this issue ? I can't exclude NPM-786 (https://www.npmjs.com/advisories/786) ...
Thank you !

@stevespringett stevespringett mentioned this issue May 10, 2019
Closed
@stevespringett stevespringett mentioned this issue Jun 6, 2019
Closed
@jeremylong jeremylong mentioned this issue Jun 23, 2019
Merged
@jeremylong jeremylong added this to the 5.1.0 milestone Jun 27, 2019
@lock lock bot locked and limited conversation to collaborators Jul 28, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
5.1.0
Development

No branches or pull requests
6 participants
@v6ak @jeremylong @mvarblow @fuyili @stevespringett @isaguimiot