From 894263809c5a5bb21fc6529b0cbd5e8d123ade3f Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 13 Sep 2014 05:39:38 -0400
Subject: [PATCH 01/11] added base flag to one suppression entry

Former-commit-id: 7d6bbf36e5e35c2ee2fe8c901281996a34706036
---
 dependency-check-core/src/test/resources/suppressions.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dependency-check-core/src/test/resources/suppressions.xml b/dependency-check-core/src/test/resources/suppressions.xml
index a9e06e88e..37a449815 100644
--- a/dependency-check-core/src/test/resources/suppressions.xml
+++ b/dependency-check-core/src/test/resources/suppressions.xml
@@ -10,7 +10,7 @@
         <filePath>c:\path\to\some.jar</filePath>
         <cpe>cpe:/a:csv:csv:1.0</cpe>
     </suppress>
-    <suppress>
+    <suppress base="true">
         <notes><![CDATA[
         This suppresses any jboss:jboss cpe for any test.jar in any directory.
         ]]></notes>

From 257f78879dffe606c8ba788e34c65a5bb4678660 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 13 Sep 2014 05:40:06 -0400
Subject: [PATCH 02/11] added base attribute to suppression rules

Former-commit-id: bcadbd75b99471a56d604c2f158570305e9b4010
---
 dependency-check-core/src/main/resources/schema/suppression.xsd | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dependency-check-core/src/main/resources/schema/suppression.xsd b/dependency-check-core/src/main/resources/schema/suppression.xsd
index 083c8ae97..5d78b731c 100644
--- a/dependency-check-core/src/main/resources/schema/suppression.xsd
+++ b/dependency-check-core/src/main/resources/schema/suppression.xsd
@@ -50,6 +50,7 @@
                                 <xs:element name="cvssBelow" type="dc:cvssScoreType"/>
                             </xs:choice>
                         </xs:sequence>
+                        <xs:attribute name="base" use="optional" type="xs:boolean" default="false"/>
                     </xs:complexType>
                 </xs:element>
             </xs:sequence>

From c76275275f69edf08360f28e4ad193659b714686 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 13 Sep 2014 05:40:37 -0400
Subject: [PATCH 03/11] added the base=true flag to all base suppressions

Former-commit-id: ac77f3fc4ff80c182b7736554a1960e186e67d69
---
 .../main/resources/dependencycheck-base-suppression.xml   | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml b/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
index 24bdb883a..f86d3118b 100644
--- a/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
+++ b/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression">
-    <suppress>
+    <suppress base="true">
         <notes><![CDATA[
         This suppresses false positives identified on spring security.
         ]]></notes>
@@ -9,7 +9,7 @@
         <cpe>cpe:/a:springsource:spring_framework</cpe>
         <cpe>cpe:/a:vmware:springsource_spring_framework</cpe>
     </suppress>
-    <suppress>
+    <suppress base="true">
         <notes><![CDATA[
         This suppreses additional false positives for the xstream library that occur because spring has a copy of this library.
             com.springsource.com.thoughtworks.xstream-1.3.1.jar
@@ -17,14 +17,14 @@
         <gav regex="true">com\.thoughtworks\.xstream:xstream:.*</gav>
         <cpe>cpe:/a:springsource:spring_framework</cpe>
     </suppress>
-    <suppress>
+    <suppress base="true">
         <notes><![CDATA[
         Suppresses false positives on velocity tools.
         ]]></notes>
         <gav regex="true">org.apache.velocity:velocity-tools:.*</gav>
         <cpe>cpe:/a:apache:struts</cpe>
     </suppress>
-    <suppress>
+    <suppress base="true">
         <notes><![CDATA[
         Sandbox is a php blog platform and should not be flagged as a CPE for java or .net dependencies.
         ]]></notes>

From 62065c9d289a5dbd3f25b75cd05d4ff12ecddebf Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 13 Sep 2014 05:41:26 -0400
Subject: [PATCH 04/11] corrected the removal of an identifier so that
 iterator.remove was correctly used

Former-commit-id: 252507772242cc7ff42ef9f310cfca3bec7cb075
---
 .../owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java  | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
index 8f592e73a..3eb5d46c3 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
@@ -114,7 +114,8 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
                         && i.getValue() != null
                         && i.getValue().startsWith("cpe:/a:springsource:")
                         && !i.getValue().toLowerCase().contains(mustContain)) {
-                    dependency.getIdentifiers().remove(i);
+                    itr.remove();
+                    //dependency.getIdentifiers().remove(i);
                 }
 
             }

From e44ee3bfe13310b70a5a668fb792364ea585aeda Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 13 Sep 2014 05:42:01 -0400
Subject: [PATCH 05/11] added parsing of the base flag

Former-commit-id: 02f533177846bcd4a98b31f851e91f438e1ddeaa
---
 .../dependencycheck/suppression/SuppressionHandler.java     | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionHandler.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionHandler.java
index 4906f4e19..a40168db4 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionHandler.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionHandler.java
@@ -103,6 +103,12 @@ public class SuppressionHandler extends DefaultHandler {
         currentText = new StringBuffer();
         if (SUPPRESS.equals(qName)) {
             rule = new SuppressionRule();
+            final String base = currentAttributes.getValue("base");
+            if (base != null) {
+                rule.setBase(Boolean.parseBoolean(base));
+            } else {
+                rule.setBase(false);
+            }
         }
     }
 

From 8fab2f58dab525236ee373acb174eda905ef471b Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 13 Sep 2014 05:43:16 -0400
Subject: [PATCH 06/11] added the base property and skipped adding the
 vulnerability or identifier to the suppressed collection if this is a base
 suppression rule

Former-commit-id: a668d7d8b9345b6ad44bfff1ced4ab783a1f90d8
---
 .../suppression/SuppressionRule.java          | 28 +++++++++++++++++--
 1 file changed, 26 insertions(+), 2 deletions(-)

diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionRule.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionRule.java
index 958204e48..1254d5ea5 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionRule.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionRule.java
@@ -266,6 +266,26 @@ public class SuppressionRule {
         return gav != null;
     }
 
+    private boolean base;
+
+    /**
+     * Get the value of base
+     *
+     * @return the value of base
+     */
+    public boolean isBase() {
+        return base;
+    }
+
+    /**
+     * Set the value of base
+     *
+     * @param base new value of base
+     */
+    public void setBase(boolean base) {
+        this.base = base;
+    }
+
     /**
      * Processes a given dependency to determine if any CPE, CVE, CWE, or CVSS scores should be suppressed. If any
      * should be, they are removed from the dependency.
@@ -300,7 +320,9 @@ public class SuppressionRule {
                 final Identifier i = itr.next();
                 for (PropertyType c : this.cpe) {
                     if (identifierMatches("cpe", c, i)) {
-                        dependency.addSuppressedIdentifier(i);
+                        if (!isBase()) {
+                            dependency.addSuppressedIdentifier(i);
+                        }
                         itr.remove();
                         break;
                     }
@@ -339,7 +361,9 @@ public class SuppressionRule {
                     }
                 }
                 if (remove) {
-                    dependency.addSuppressedVulnerability(v);
+                    if (!isBase()) {
+                        dependency.addSuppressedVulnerability(v);
+                    }
                     itr.remove();
                 }
             }

From c785b39eda490704a63c5b52664ac4d4af1faba4 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 13 Sep 2014 05:44:09 -0400
Subject: [PATCH 07/11] added assertion to validate that the base flag is being
 processed

Former-commit-id: 0364e57af8f548d010f17f948492e9472433c675
---
 .../suppression/SuppressionHandlerTest.java            | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/suppression/SuppressionHandlerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/suppression/SuppressionHandlerTest.java
index bc38b3d6d..ea678aad3 100644
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/suppression/SuppressionHandlerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/suppression/SuppressionHandlerTest.java
@@ -88,7 +88,15 @@ public class SuppressionHandlerTest {
 
         xmlReader.parse(in);
 
-        List result = handler.getSuppressionRules();
+        List<SuppressionRule> result = handler.getSuppressionRules();
         assertTrue(result.size() > 3);
+        int baseCount = 0;
+        for (SuppressionRule r : result) {
+            if (r.isBase()) {
+                baseCount++;
+            }
+        }
+        assertTrue(baseCount > 0);
+
     }
 }

From 0e2a31709a1b17ccc60c3921860b4833f98d1732 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 13 Sep 2014 05:45:05 -0400
Subject: [PATCH 08/11] added test cases to ensure setting the base flag will
 prevent the identifier from being added to the suppressedIdentifiers
 collection

Former-commit-id: d369797a3b14fc2c42621d273d6f314e968848b9
---
 .../suppression/SuppressionRuleTest.java      | 32 +++++++++++++------
 1 file changed, 23 insertions(+), 9 deletions(-)

diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/suppression/SuppressionRuleTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/suppression/SuppressionRuleTest.java
index 86fb99bf9..a528cebb4 100644
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/suppression/SuppressionRuleTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/suppression/SuppressionRuleTest.java
@@ -146,6 +146,17 @@ public class SuppressionRuleTest {
         List<String> result = instance.getCve();
         assertEquals(cve, result);
     }
+
+    /**
+     * Test of Cve property, of class SuppressionRule.
+     */
+    @Test
+    public void testBase() {
+        SuppressionRule instance = new SuppressionRule();
+        assertFalse(instance.isBase());
+        instance.setBase(true);
+        assertTrue(instance.isBase());
+    }
     //</editor-fold>
 
     //<editor-fold defaultstate="collapsed" desc="Ignored duplicate tests, left in, as empty tests, so IDE doesn't re-generate them">
@@ -424,33 +435,33 @@ public class SuppressionRuleTest {
         instance.setSha1(sha1);
         instance.addCwe("287");
         instance.process(dependency);
-        assertTrue(dependency.getVulnerabilities().size() == 1);
+        assertEquals(1, dependency.getVulnerabilities().size());
         dependency.setSha1sum(sha1);
         instance.process(dependency);
         assertTrue(dependency.getVulnerabilities().isEmpty());
-        assertTrue(dependency.getSuppressedVulnerabilities().size() == 1);
+        assertEquals(1, dependency.getSuppressedVulnerabilities().size());
 
         //cvss
         dependency.addVulnerability(v);
         instance = new SuppressionRule();
         instance.addCvssBelow(5f);
         instance.process(dependency);
-        assertTrue(dependency.getVulnerabilities().size() == 1);
+        assertEquals(1, dependency.getVulnerabilities().size());
         instance.addCvssBelow(8f);
         instance.process(dependency);
         assertTrue(dependency.getVulnerabilities().isEmpty());
-        assertTrue(dependency.getSuppressedVulnerabilities().size() == 1);
+        assertEquals(1, dependency.getSuppressedVulnerabilities().size());
 
         //cve
         dependency.addVulnerability(v);
         instance = new SuppressionRule();
         instance.addCve("CVE-2012-1337");
         instance.process(dependency);
-        assertTrue(dependency.getVulnerabilities().size() == 1);
+        assertEquals(1, dependency.getVulnerabilities().size());
         instance.addCve("CVE-2013-1337");
         instance.process(dependency);
         assertTrue(dependency.getVulnerabilities().isEmpty());
-        assertTrue(dependency.getSuppressedVulnerabilities().size() == 1);
+        assertEquals(1, dependency.getSuppressedVulnerabilities().size());
 
         //cpe
         instance = new SuppressionRule();
@@ -468,18 +479,21 @@ public class SuppressionRuleTest {
         instance.setFilePath(pt);
         instance.process(dependency);
         assertTrue(dependency.getIdentifiers().isEmpty());
-        assertTrue(dependency.getSuppressedIdentifiers().size() == 1);
+        assertEquals(1, dependency.getSuppressedIdentifiers().size());
 
+        instance = new SuppressionRule();
         dependency.addIdentifier("cpe", "cpe:/a:microsoft:.net_framework:4.0", "some url not needed for this test");
         dependency.addIdentifier("cpe", "cpe:/a:microsoft:.net_framework:4.5", "some url not needed for this test");
         dependency.addIdentifier("cpe", "cpe:/a:microsoft:.net_framework:5.0", "some url not needed for this test");
         pt = new PropertyType();
         pt.setValue("cpe:/a:microsoft:.net_framework");
         instance.addCpe(pt);
-        assertTrue(dependency.getIdentifiers().size() == 3);
+        instance.setBase(true);
+        assertEquals(3, dependency.getIdentifiers().size());
+        assertEquals(1, dependency.getSuppressedIdentifiers().size());
         instance.process(dependency);
         assertTrue(dependency.getIdentifiers().isEmpty());
-        assertTrue(dependency.getSuppressedIdentifiers().size() == 3);
+        assertEquals(1, dependency.getSuppressedIdentifiers().size());
     }
 
     /**

From 93ec2e86393c1efcda876e9519c913c76dcde118 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 13 Sep 2014 05:50:49 -0400
Subject: [PATCH 09/11] fixed javadoc

Former-commit-id: d06907a74a6fd4cf9ac5e5774af63eda5aba02b3
---
 .../owasp/dependencycheck/suppression/SuppressionRuleTest.java  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/suppression/SuppressionRuleTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/suppression/SuppressionRuleTest.java
index a528cebb4..46f0edf0b 100644
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/suppression/SuppressionRuleTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/suppression/SuppressionRuleTest.java
@@ -148,7 +148,7 @@ public class SuppressionRuleTest {
     }
 
     /**
-     * Test of Cve property, of class SuppressionRule.
+     * Test of base property, of class SuppressionRule.
      */
     @Test
     public void testBase() {

From f9064e526f4fa2197b34f4a35d75e976081d00d8 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 13 Sep 2014 07:09:54 -0400
Subject: [PATCH 10/11] added test jar to the extended profile test
 dependencies

Former-commit-id: b24966e3936afd9337dbea5476a696ddf46efc65
---
 dependency-check-core/pom.xml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/dependency-check-core/pom.xml b/dependency-check-core/pom.xml
index ef9aae6cb..65c074420 100644
--- a/dependency-check-core/pom.xml
+++ b/dependency-check-core/pom.xml
@@ -628,6 +628,13 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
             <scope>provided</scope>
             <optional>true</optional>
         </dependency>
+        <dependency>
+            <groupId>org.glassfish.jersey.core</groupId>
+            <artifactId>jersey-client</artifactId>
+            <version>2.12</version>
+            <scope>provided</scope>
+            <optional>true</optional>
+        </dependency>
     </dependencies>
     <profiles>
         <profile>

From 29595324c4513052337eec6fb50935655ee9e8dd Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 13 Sep 2014 07:10:17 -0400
Subject: [PATCH 11/11] added suppression rules for jersey-client

Former-commit-id: cb8f4081c6d0fc2128a3a3dfda294a541c16adec
---
 .../main/resources/dependencycheck-base-suppression.xml  | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml b/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
index f86d3118b..0b1518d1d 100644
--- a/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
+++ b/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
@@ -21,7 +21,7 @@
         <notes><![CDATA[
         Suppresses false positives on velocity tools.
         ]]></notes>
-        <gav regex="true">org.apache.velocity:velocity-tools:.*</gav>
+        <gav regex="true">org\.apache\.velocity:velocity-tools:.*</gav>
         <cpe>cpe:/a:apache:struts</cpe>
     </suppress>
     <suppress base="true">
@@ -31,4 +31,11 @@
         <filePath regex="true">.*\.(jar|dll|exe|ear|war|pom)</filePath>
         <cpe>cpe:/a:sandbox:sandbox</cpe>
     </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        Suppresses false positives on Jersey core client.
+        ]]></notes>
+        <gav regex="true">org\.glassfish\.jersey\.core:jersey-(client|common):.*</gav>
+        <cpe>cpe:/a:oracle:glassfish</cpe>
+    </suppress>
 </suppressions>
\ No newline at end of file