diff --git a/dependency-check-core/pom.xml b/dependency-check-core/pom.xml
index ef9aae6cb..65c074420 100644
--- a/dependency-check-core/pom.xml
+++ b/dependency-check-core/pom.xml
@@ -628,6 +628,13 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
provided
true
+
+ org.glassfish.jersey.core
+ jersey-client
+ 2.12
+ provided
+ true
+
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
index 8f592e73a..3eb5d46c3 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
@@ -114,7 +114,8 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
&& i.getValue() != null
&& i.getValue().startsWith("cpe:/a:springsource:")
&& !i.getValue().toLowerCase().contains(mustContain)) {
- dependency.getIdentifiers().remove(i);
+ itr.remove();
+ //dependency.getIdentifiers().remove(i);
}
}
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionHandler.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionHandler.java
index 4906f4e19..a40168db4 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionHandler.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionHandler.java
@@ -103,6 +103,12 @@ public class SuppressionHandler extends DefaultHandler {
currentText = new StringBuffer();
if (SUPPRESS.equals(qName)) {
rule = new SuppressionRule();
+ final String base = currentAttributes.getValue("base");
+ if (base != null) {
+ rule.setBase(Boolean.parseBoolean(base));
+ } else {
+ rule.setBase(false);
+ }
}
}
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionRule.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionRule.java
index 958204e48..1254d5ea5 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionRule.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionRule.java
@@ -266,6 +266,26 @@ public class SuppressionRule {
return gav != null;
}
+ private boolean base;
+
+ /**
+ * Get the value of base
+ *
+ * @return the value of base
+ */
+ public boolean isBase() {
+ return base;
+ }
+
+ /**
+ * Set the value of base
+ *
+ * @param base new value of base
+ */
+ public void setBase(boolean base) {
+ this.base = base;
+ }
+
/**
* Processes a given dependency to determine if any CPE, CVE, CWE, or CVSS scores should be suppressed. If any
* should be, they are removed from the dependency.
@@ -300,7 +320,9 @@ public class SuppressionRule {
final Identifier i = itr.next();
for (PropertyType c : this.cpe) {
if (identifierMatches("cpe", c, i)) {
- dependency.addSuppressedIdentifier(i);
+ if (!isBase()) {
+ dependency.addSuppressedIdentifier(i);
+ }
itr.remove();
break;
}
@@ -339,7 +361,9 @@ public class SuppressionRule {
}
}
if (remove) {
- dependency.addSuppressedVulnerability(v);
+ if (!isBase()) {
+ dependency.addSuppressedVulnerability(v);
+ }
itr.remove();
}
}
diff --git a/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml b/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
index 24bdb883a..0b1518d1d 100644
--- a/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
+++ b/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
@@ -1,6 +1,6 @@
-
+
@@ -9,7 +9,7 @@
cpe:/a:springsource:spring_framework
cpe:/a:vmware:springsource_spring_framework
-
+
com\.thoughtworks\.xstream:xstream:.*
cpe:/a:springsource:spring_framework
-
+
- org.apache.velocity:velocity-tools:.*
+ org\.apache\.velocity:velocity-tools:.*
cpe:/a:apache:struts
-
+
.*\.(jar|dll|exe|ear|war|pom)
cpe:/a:sandbox:sandbox
+
+
+ org\.glassfish\.jersey\.core:jersey-(client|common):.*
+ cpe:/a:oracle:glassfish
+
\ No newline at end of file
diff --git a/dependency-check-core/src/main/resources/schema/suppression.xsd b/dependency-check-core/src/main/resources/schema/suppression.xsd
index 083c8ae97..5d78b731c 100644
--- a/dependency-check-core/src/main/resources/schema/suppression.xsd
+++ b/dependency-check-core/src/main/resources/schema/suppression.xsd
@@ -50,6 +50,7 @@
+
diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/suppression/SuppressionHandlerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/suppression/SuppressionHandlerTest.java
index bc38b3d6d..ea678aad3 100644
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/suppression/SuppressionHandlerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/suppression/SuppressionHandlerTest.java
@@ -88,7 +88,15 @@ public class SuppressionHandlerTest {
xmlReader.parse(in);
- List result = handler.getSuppressionRules();
+ List result = handler.getSuppressionRules();
assertTrue(result.size() > 3);
+ int baseCount = 0;
+ for (SuppressionRule r : result) {
+ if (r.isBase()) {
+ baseCount++;
+ }
+ }
+ assertTrue(baseCount > 0);
+
}
}
diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/suppression/SuppressionRuleTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/suppression/SuppressionRuleTest.java
index 86fb99bf9..46f0edf0b 100644
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/suppression/SuppressionRuleTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/suppression/SuppressionRuleTest.java
@@ -146,6 +146,17 @@ public class SuppressionRuleTest {
List result = instance.getCve();
assertEquals(cve, result);
}
+
+ /**
+ * Test of base property, of class SuppressionRule.
+ */
+ @Test
+ public void testBase() {
+ SuppressionRule instance = new SuppressionRule();
+ assertFalse(instance.isBase());
+ instance.setBase(true);
+ assertTrue(instance.isBase());
+ }
//
//
@@ -424,33 +435,33 @@ public class SuppressionRuleTest {
instance.setSha1(sha1);
instance.addCwe("287");
instance.process(dependency);
- assertTrue(dependency.getVulnerabilities().size() == 1);
+ assertEquals(1, dependency.getVulnerabilities().size());
dependency.setSha1sum(sha1);
instance.process(dependency);
assertTrue(dependency.getVulnerabilities().isEmpty());
- assertTrue(dependency.getSuppressedVulnerabilities().size() == 1);
+ assertEquals(1, dependency.getSuppressedVulnerabilities().size());
//cvss
dependency.addVulnerability(v);
instance = new SuppressionRule();
instance.addCvssBelow(5f);
instance.process(dependency);
- assertTrue(dependency.getVulnerabilities().size() == 1);
+ assertEquals(1, dependency.getVulnerabilities().size());
instance.addCvssBelow(8f);
instance.process(dependency);
assertTrue(dependency.getVulnerabilities().isEmpty());
- assertTrue(dependency.getSuppressedVulnerabilities().size() == 1);
+ assertEquals(1, dependency.getSuppressedVulnerabilities().size());
//cve
dependency.addVulnerability(v);
instance = new SuppressionRule();
instance.addCve("CVE-2012-1337");
instance.process(dependency);
- assertTrue(dependency.getVulnerabilities().size() == 1);
+ assertEquals(1, dependency.getVulnerabilities().size());
instance.addCve("CVE-2013-1337");
instance.process(dependency);
assertTrue(dependency.getVulnerabilities().isEmpty());
- assertTrue(dependency.getSuppressedVulnerabilities().size() == 1);
+ assertEquals(1, dependency.getSuppressedVulnerabilities().size());
//cpe
instance = new SuppressionRule();
@@ -468,18 +479,21 @@ public class SuppressionRuleTest {
instance.setFilePath(pt);
instance.process(dependency);
assertTrue(dependency.getIdentifiers().isEmpty());
- assertTrue(dependency.getSuppressedIdentifiers().size() == 1);
+ assertEquals(1, dependency.getSuppressedIdentifiers().size());
+ instance = new SuppressionRule();
dependency.addIdentifier("cpe", "cpe:/a:microsoft:.net_framework:4.0", "some url not needed for this test");
dependency.addIdentifier("cpe", "cpe:/a:microsoft:.net_framework:4.5", "some url not needed for this test");
dependency.addIdentifier("cpe", "cpe:/a:microsoft:.net_framework:5.0", "some url not needed for this test");
pt = new PropertyType();
pt.setValue("cpe:/a:microsoft:.net_framework");
instance.addCpe(pt);
- assertTrue(dependency.getIdentifiers().size() == 3);
+ instance.setBase(true);
+ assertEquals(3, dependency.getIdentifiers().size());
+ assertEquals(1, dependency.getSuppressedIdentifiers().size());
instance.process(dependency);
assertTrue(dependency.getIdentifiers().isEmpty());
- assertTrue(dependency.getSuppressedIdentifiers().size() == 3);
+ assertEquals(1, dependency.getSuppressedIdentifiers().size());
}
/**
diff --git a/dependency-check-core/src/test/resources/suppressions.xml b/dependency-check-core/src/test/resources/suppressions.xml
index a9e06e88e..37a449815 100644
--- a/dependency-check-core/src/test/resources/suppressions.xml
+++ b/dependency-check-core/src/test/resources/suppressions.xml
@@ -10,7 +10,7 @@
c:\path\to\some.jar
cpe:/a:csv:csv:1.0
-
+