-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
support suppression for NPM (and NSP) findings #892
Comments
The current suppression format assumes the source is the NVD. This will need to be made more generic to support NSP and future sources of vulnerability data. Additionally, the NSP reporting may need minor tweaks. The Jenkins plugin supports the same suppression format as any other Dependency-Check plugin. So, no, NSP cannot be suppressed at this time. |
What's the problem with the current suppression format? I guess you can't suppress something without an identifier. The mentioned vulnerability does not have any CVE assigned, so it might be hard. But we could identify them as, say, NODESECURITY-525. The only issue I see with this approach is that ODC currently supports at most one identifier, so you can either use NODESECURITY-xxx for all those vulnerabilities (drawback: you skip CVE even if it is available) or you can use NODESECURITY-xxx only if CVE is not available (drawback: CVE id might be assigned eventually, so reported vulnerability id might change, which might break some suppressions). |
@fuyili mentioned that people using the command line can suppress NSP findings using a .nsprc file. I can't find any mention of this or a reference to it in the source code. Any detail on how this works? Does the .nsprc file have to be placed in a specific folder? |
@mvarblow the |
Hi @jeremylong , any news on this issue ? I can't exclude NPM-786 (https://www.npmjs.com/advisories/786) ... |
I know you have mentioned in #714
"NSP findings currently do not support suppressions. I expect this to be an enhancement in the future."
Have this been implemented or can be implemented soon? Now there is a new vulnerability: https://nodesecurity.io/advisories/525 and no fix yet, and we don't want to block our pipeline and would like to temporarily suppress it.
people using the command line can suppress it by adding .nsprc file like this:
Is there a way to suppress it in Jenkins plugin?
The text was updated successfully, but these errors were encountered: