added information on suppressing false positives to the site

Former-commit-id: 39176151fc0bbf304e1d7754f8f1f61d8d776c32

dependency-check-ant/src/site/markdown/configuration.md

@@ -29,7 +29,7 @@ FailBuildOn           | If set and a CVE is found that is greater then the speci
 AutoUpdate            | If set to false the NVD CVE data is not automatically updated. Setting this to false could result in false negatives. However, this may be required in some environments. The default value is true. | Optional
 DataDirectory         | The directory where dependency-check will store data used for analysis. Defaults to a folder called, called 'dependency-check-data', that is in the same directory as the dependency-check-ant jar file was installed in. *It is not recommended to change this.* | Optional
 LogFile               | The file path to write verbose logging information. | Optional
-SuppressionFile       | An XML file conforming to the suppression schema that suppresses findings; this is used to hide false positives. | Optional
+SuppressionFile       | An XML file conforming to the suppression schema that suppresses findings; this is used to hide [false positives](../suppression.html). | Optional
 ProxyUrl              | Defines the proxy used to connect to the Internet. | Optional
 ProxyPort             | Defines the port for the proxy. | Optional
 ProxyUsername         | Defines the proxy user name. | Optional

dependency-check-cli/src/site/markdown/arguments.md

@@ -17,6 +17,6 @@ Short  | Argument Name         | Parameter   | Description | Requirement
  \-pp  | \-\-proxypass         | \<pass\>    | The proxy password to use when downloading resources. | Optional
  \-pu  | \-\-proxyuser         | \<user\>    | The proxy username to use when downloading resources. | Optional
  \-s   | \-\-scan              | \<path\>    | The path to scan \- this option can be specified multiple times. |
- \-sf  | \-\-suppression       | \<file\>    | The file path to the suppression XML file. | Optional
+ \-sf  | \-\-suppression       | \<file\>    | The file path to the suppression XML file; used to suppress [false positives](../suppression.html). | Optional
  \-u   | \-\-proxyurl          | \<url\>     | The proxy url to use when downloading resources. | Optional
  \-v   | \-\-version           |             | Print the version information. | Optional

dependency-check-core/src/main/resources/templates/HtmlReport.vsl

@@ -548,8 +548,10 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                                 #else
                                     <li><b>$esc.html($id.type):</b>&nbsp;$esc.html($id.value)
                                 #end
+                                #if ($id.type=="cpe")
                                     ##yes, we are HTML Encoding into JavaScript... the escape utils don't have a JS Encode and I haven't written one yet
                                     &nbsp;&nbsp;<button class="copybutton" onclick="copyText('$esc.html($dependency.FileName)', '$esc.html($dependency.Sha1sum)', 'cpe', '$esc.html($id.value)')">suppress</button>
+                                #end
                                 #if( $id.description )
                                     <br/>$esc.html($id.description)
                                 #end

dependency-check-maven/src/site/markdown/configuration.md

@@ -8,10 +8,10 @@ autoUpdate          | Sets whether auto-updating of the NVD CVE/CPE data is enab
 externalReport      | When using as a Site plugin this parameter sets whether or not the external report format should be used. | false
 failBuildOnCVSS     | Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail.         | 11
 format              | The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true. | HTML
-logFile             | The file path to write verbose logging information. |
-suppressionFile     | The file path to the XML suppression file \- used to support suppressing false positives |
-connectionTimeout   | The Connection Timeout.            |
-proxyUrl            | The Proxy URL.                     |
-proxyPort           | The Proxy Port.                    |
-proxyUsername       | Defines the proxy user name.       |
-proxyPassword       | Defines the proxy password.        |
+logFile             | The file path to write verbose logging information. | 
+suppressionFile     | The file path to the XML suppression file \- used to suppress [false positives](../suppression.html) | 
+connectionTimeout   | The Connection Timeout.            | 
+proxyUrl            | The Proxy URL.                     | 
+proxyPort           | The Proxy Port.                    | 
+proxyUsername       | Defines the proxy user name.       | 
+proxyPassword       | Defines the proxy password.        | 

src/site/markdown/suppression.md

@@ -0,0 +1,28 @@
+Suppressing False Positives
+====================
+Due to how dependency-check identifies libraries false positives may occur (a CPE was identified that is incorrect). Suppressing these false positives is fairly easy using the HTML report. In the report next to each CPE identified (and on CVE entries) there is a suppress button. Clicking the suppression button will create a dialogue box which you can simple hit Control-C to copy the XML that you would place into a suppression XML file. If this is the first time you are creating the suppression file you should click the "Complete XML Doc" button on the top of the dialogue box to add the necessary schema elements.
+
+A sample suppression file would look like:
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression">
+   <suppress>
+      <notes><![CDATA[
+      file name: some.jar
+      ]]></notes>
+      <sha1>66734244CE86857018B023A8C56AE0635C56B6A1</sha1>
+      <cpe>cpe:/a:apache:struts:2.0.0</cpe>
+   </suppress>
+</suppressions>
+```
+The above XML file will suppress the cpe:/a:apache:struts:2.0.0 from any file with the a matching SHA1 hash.
+
+The full schema for suppression files can be found here: [suppression.xsd](https://github.com/jeremylong/DependencyCheck/blob/master/dependency-check-core/src/main/resources/schema/suppression.xsd "Suppression Schema")
+
+Please see the appropriate configuration option in each interfaces configuration guide:
+
+-  [Command Line Tool](dependency-check-cli/arguments.html)
+-  [Maven Plugin](dependency-check-maven/configuration.html)
+-  [Ant Task](dependency-check-ant/configuration.html)
+-  [Jenkins Plugin](dependency-check-jenkins/index.html)

src/site/site.xml

@@ -57,6 +57,11 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
         </breadcrumbs>
 
         <menu ref="reports" />
+		<menu name="General">
+            <item name="False Positives" href="./suppression.html">
+                <description>Suppressing False Positives</description>
+            </item>
+		</menu>
         <menu name="Modules">
             <item name="dependency-check-core" href="./dependency-check-core/index.html">
                 <description>The core dependency-check library</description>