Issue #730: Allow multiple args for CLI suppresion

The core has not been extended but the CLI is able to parse and pass to the Settings singleton
This change to the CLI is backwards compatible

dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java

@@ -387,7 +387,7 @@ public class App {
         final String proxyPass = cli.getProxyPassword();
         final String dataDirectory = cli.getDataDirectory();
         final File propertiesFile = cli.getPropertiesFile();
-        final String suppressionFile = cli.getSuppressionFile();
+        final String[] suppressionFiles = cli.getSuppressionFiles();
         final String hintsFile = cli.getHintsFile();
         final String nexusUrl = cli.getNexusUrl();
         final String databaseDriverName = cli.getDatabaseDriverName();
@@ -436,10 +436,11 @@ public class App {
         Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_USERNAME, proxyUser);
         Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PASSWORD, proxyPass);
         Settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
-        Settings.setStringIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
         Settings.setStringIfNotEmpty(Settings.KEYS.HINTS_FILE, hintsFile);
         Settings.setIntIfNotNull(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, cveValidForHours);
 
+        Settings.setArrayIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE, suppressionFiles);
+
         //File Type Analyzer Settings
         Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, experimentalEnabled);
 

dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java

@@ -273,7 +273,7 @@ public final class CliParser {
                 .desc("Sets how deep nested symbolic links will be followed; 0 indicates symbolic links will not be followed.")
                 .build();
 
-        final Option suppressionFile = Option.builder().argName("file").hasArg().longOpt(ARGUMENT.SUPPRESSION_FILE)
+        final Option suppressionFile = Option.builder().argName("file").hasArgs().longOpt(ARGUMENT.SUPPRESSION_FILES)
                 .desc("The file path to the suppression XML file.")
                 .build();
 
@@ -1020,12 +1020,12 @@ public final class CliParser {
     }
 
     /**
-     * Returns the path to the suppression file.
+     * Returns the paths to the suppression files.
      *
-     * @return the path to the suppression file
+     * @return the paths to the suppression files.
      */
-    public String getSuppressionFile() {
-        return line.getOptionValue(ARGUMENT.SUPPRESSION_FILE);
+    public String[] getSuppressionFiles() {
+        return line.getOptionValues(ARGUMENT.SUPPRESSION_FILES);
     }
 
     /**
@@ -1363,9 +1363,9 @@ public final class CliParser {
         public static final String SYM_LINK_DEPTH = "symLink";
         /**
          * The CLI argument name for setting the location of the suppression
-         * file.
+         * file(s).
          */
-        public static final String SUPPRESSION_FILE = "suppression";
+        public static final String SUPPRESSION_FILES = "suppression";
         /**
          * The CLI argument name for setting the location of the hint file.
          */

dependency-check-cli/src/site/markdown/arguments.md

@@ -14,7 +14,7 @@ Short  | Argument Name   | Parameter       | Description | Requir
        | \-\-failOnCvss         | \<score\>       | If the score set between 0 and 10 the exit code from dependency-check will indicate if a vulnerability with a CVSS score equal to or higher was identified. | Optional
  \-l   | \-\-log                | \<file\>        | The file path to write verbose logging information. | Optional
  \-n   | \-\-noupdate           |                 | Disables the automatic updating of the CPE data. | Optional
-       | \-\-suppression        | \<file\>        | The file path to the suppression XML file; used to suppress [false positives](../general/suppression.html). | Optional
+       | \-\-suppression        | \<files\>       | The file paths to the suppression XML files; used to suppress [false positives](../general/suppression.html). | Optional
  \-h   | \-\-help               |                 | Print the help message. | Optional
        | \-\-advancedHelp       |                 | Print the advanced help message. | Optional
  \-v   | \-\-version            |                 | Print the version information. | Optional
@@ -64,4 +64,4 @@ Short  | Argument&nbsp;Name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | Paramete
        | \-\-dbPassword        | \<password\>    | The password for connecting to the database.                                     | &nbsp;
        | \-\-dbUser            | \<user\>        | The username used to connect to the database.                                    | &nbsp;
  \-d   | \-\-data              | \<path\>        | The location of the data directory used to store persistent data. This option should generally not be set. | &nbsp;
-       | \-\-purge             |                 | Delete the local copy of the NVD. This is used to force a refresh of the data.   | &nbsp;
+       | \-\-purge             |                 | Delete the local copy of the NVD. This is used to force a refresh of the data.   | &nbsp;

dependency-check-cli/src/test/java/org/owasp/dependencycheck/AppTest.java

@@ -153,7 +153,7 @@ public class AppTest {
      * @throws Exception the unexpected {@link Exception}.
      */
     @Test
-    public void testPopulatingSuppressionSettings() throws Exception {
+    public void testPopulatingSuppressionSettingsWithASingleFile() throws Exception {
         // GIVEN CLI properties with the mandatory arguments
         File prop = new File(this.getClass().getClassLoader().getResource("sample.properties").toURI().getPath());
 
@@ -170,6 +170,29 @@ public class AppTest {
         assertThat("Expected the suppression file to be set in the Settings singleton", Settings.getString(KEYS.SUPPRESSION_FILE), is("another-file.xml"));
     }
 
+    /**
+     * Assert that multiple suppression files can be set using the CLI.
+     *
+     * @throws Exception the unexpected {@link Exception}.
+     */
+    @Test
+    public void testPopulatingSuppressionSettingsWithMultipleFiles() throws Exception {
+        // GIVEN CLI properties with the mandatory arguments
+        File prop = new File(this.getClass().getClassLoader().getResource("sample.properties").toURI().getPath());
+
+        // AND a single suppression file
+        String[] args = { "-P", prop.getAbsolutePath(), "--suppression", "first-file.xml", "another-file.xml" };
+
+        // WHEN parsing the CLI arguments
+        final CliParser cli = new CliParser();
+        cli.parse(args);
+        final App classUnderTest = new App();
+        classUnderTest.populateSettings(cli);
+
+        // THEN the suppression file is set in the settings singleton for use in the application core
+        assertThat("Expected the suppression files to be set in the Settings singleton with a separator", Settings.getString(KEYS.SUPPRESSION_FILE), is("first-file.xml,another-file.xml"));
+    }
+
     private boolean testBooleanProperties(String[] args, Map<String, Boolean> expected) throws URISyntaxException, FileNotFoundException, ParseException, InvalidSettingException {
         Settings.initialize();
         try {