updated to support suppression file configuration

Former-commit-id: 0b6737e1f764c0bdf09d989edbd1c6258b437836
2026-01-15 00:03:43 +01:00 · 2013-11-30 18:12:43 -05:00
parent 6a9308b514
commit 1a0bd89c9d
4 changed files with 60 additions and 5 deletions
--- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java
+++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java
@@ -323,7 +323,6 @@ public class DependencyCheckTask extends Task {
    public void setProxyPort(String proxyPort) {
        this.proxyPort = proxyPort;
    }
-
    /**
     * The Proxy username.
     */
@@ -346,7 +345,6 @@ public class DependencyCheckTask extends Task {
    public void setProxyUsername(String proxyUsername) {
        this.proxyUsername = proxyUsername;
    }
-
    /**
     * The Proxy password.
     */
@@ -369,7 +367,6 @@ public class DependencyCheckTask extends Task {
    public void setProxyPassword(String proxyPassword) {
        this.proxyPassword = proxyPassword;
    }
-
    /**
     * The Connection Timeout.
     */
@@ -414,6 +411,28 @@ public class DependencyCheckTask extends Task {
    public void setLogFile(String logFile) {
        this.logFile = logFile;
    }
+    /**
+     * The path to the suppression file.
+     */
+    private String suppressionFile;
+
+    /**
+     * Get the value of suppressionFile.
+     *
+     * @return the value of suppressionFile
+     */
+    public String getSuppressionFile() {
+        return suppressionFile;
+    }
+
+    /**
+     * Set the value of suppressionFile.
+     *
+     * @param suppressionFile new value of suppressionFile
+     */
+    public void setSuppressionFile(String suppressionFile) {
+        this.suppressionFile = suppressionFile;
+    }

    @Override
    public void execute() throws BuildException {
@@ -515,6 +534,9 @@ public class DependencyCheckTask extends Task {
        if (connectionTimeout != null && !connectionTimeout.isEmpty()) {
            Settings.setString(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
        }
+        if (suppressionFile != null && !suppressionFile.isEmpty()) {
+            Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
+        }
    }

    /**
--- a/dependency-check-ant/src/site/markdown/configuration.md
+++ b/dependency-check-ant/src/site/markdown/configuration.md
@@ -29,6 +29,7 @@ FailBuildOn           | If set and a CVE is found that is greater then the speci
 AutoUpdate            | If set to false the NVD CVE data is not automatically updated. Setting this to false could result in false negatives. However, this may be required in some environments. The default value is true. | Optional
 DataDirectory         | The directory where dependency-check will store data used for analysis. Defaults to a folder called, called 'dependency-check-data', that is in the same directory as the dependency-check-ant jar file was installed in. *It is not recommended to change this.* | Optional
 LogFile               | The file path to write verbose logging information. | Optional
+SuppressionFile       | An XML file conforming to the suppression schema that suppresses findings; this is used to hide false positives. | Optional
 ProxyUrl              | Defines the proxy used to connect to the Internet. | Optional
 ProxyPort             | Defines the port for the proxy. | Optional
 ProxyUsername         | Defines the proxy user name. | Optional
--- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java
+++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java
@@ -99,7 +99,7 @@ public class App {
        } else if (cli.isRunScan()) {
            updateSettings(cli.isAutoUpdate(), cli.getConnectionTimeout(), cli.getProxyUrl(),
                    cli.getProxyPort(), cli.getProxyUsername(), cli.getProxyPassword(),
-                    cli.getDataDirectory(), cli.getPropertiesFile());
+                    cli.getDataDirectory(), cli.getPropertiesFile(), cli.getSuppressionFile());
            runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles());
        } else {
            cli.printHelp();
@@ -147,11 +147,15 @@ public class App {
     * @param proxyUrl the proxy url (null or blank means no proxy will be used)
     * @param proxyPort the proxy port (null or blank means no port will be
     * used)
+     * @param proxyUser the proxy user name
+     * @param proxyPass the password for the proxy
     * @param dataDirectory the directory to store/retrieve persistent data from
     * @param propertiesFile the properties file to utilize
+     * @param suppressionFile the path to the suppression file
     */
    private void updateSettings(boolean autoUpdate, String connectionTimeout, String proxyUrl, String proxyPort,
-                                String proxyUser, String proxyPass, String dataDirectory, File propertiesFile) {
+            String proxyUser, String proxyPass, String dataDirectory, File propertiesFile,
+            String suppressionFile) {

        if (propertiesFile != null) {
            try {
@@ -194,5 +198,8 @@ public class App {
        if (connectionTimeout != null && !connectionTimeout.isEmpty()) {
            Settings.setString(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
        }
+        if (suppressionFile != null && !suppressionFile.isEmpty()) {
+            Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
+        }
    }
 }
--- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java
+++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java
@@ -207,6 +207,11 @@ public final class CliParser {
                .withDescription("The file path to write verbose logging information.")
                .create(ArgumentName.VERBOSE_LOG_SHORT);

+        final Option suppressionFile = OptionBuilder.withArgName("file").hasArg().withLongOpt(ArgumentName.SUPPRESION_FILE)
+                .withDescription("The file path to the suppression XML file.")
+                .create(ArgumentName.SUPPRESION_FILE_SHORT);
+
+
        final OptionGroup og = new OptionGroup();
        og.addOption(path);

@@ -221,6 +226,7 @@ public final class CliParser {
        opts.addOption(props);
        opts.addOption(data);
        opts.addOption(verboseLog);
+        opts.addOption(suppressionFile);
        opts.addOption(proxyPort);
        opts.addOption(proxyUrl);
        opts.addOption(proxyUsername);
@@ -389,6 +395,15 @@ public final class CliParser {
        return line.getOptionValue(ArgumentName.VERBOSE_LOG);
    }

+    /**
+     * Returns the path to the suppression file.
+     *
+     * @return the path to the suppression file
+     */
+    public String getSuppressionFile() {
+        return line.getOptionValue(ArgumentName.SUPPRESION_FILE);
+    }
+
    /**
     * <p>Prints the manifest information to standard output.</p>
     * <ul><li>Implementation-Title: ${pom.name}</li>
@@ -549,5 +564,15 @@ public final class CliParser {
         * directory.
         */
        public static final String VERBOSE_LOG_SHORT = "l";
+        /**
+         * The CLI argument name for setting the location of the suppression
+         * file.
+         */
+        public static final String SUPPRESION_FILE = "suppression";
+        /**
+         * The short CLI argument name for setting the location of the
+         * suppression file.
+         */
+        public static final String SUPPRESION_FILE_SHORT = "sf";
    }
 }