github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-16 16:46:55 +01:00
Code Issues Packages Projects Releases Wiki Activity

version 1.1.2 of project documentation

Browse Source
This commit is contained in:
Jeremy Long
2014-03-03 19:32:36 -05:00
parent 9f9ed6f1da
commit 9a00756d3f
982 changed files with 42586 additions and 30816 deletions
Download Patch File Download Diff File Expand all files Collapse all files

141
suppression.html
View File

@@ -1,27 +1,27 @@
<!DOCTYPE html>
<!--
| Generated by Apache Maven Doxia at 2014-01-30
| Rendered using Apache Maven Fluido Skin 1.3.0
| Generated by Apache Maven Doxia at 2014-03-03
| Rendered using Apache Maven Fluido Skin 1.3.1
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta name="Date-Revision-yyyymmdd" content="20140130" />
<meta name="Date-Revision-yyyymmdd" content="20140303" />
<meta http-equiv="Content-Language" content="en" />
<title>dependency-check - Suppressing False Positives</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
<link rel="stylesheet" href="./css/apache-maven-fluido-1.3.1.min.css" />
<link rel="stylesheet" href="./css/site.css" />
<link rel="stylesheet" href="./css/print.css" media="print" />
<script type="text/javascript" src="./js/apache-maven-fluido-1.3.0.min.js"></script>
<script type="text/javascript" src="./js/apache-maven-fluido-1.3.1.min.js"></script>
<style type="text/css">#bannerLeft { margin-top:50px !important }</style>
</head>
</head>
<body class="topBarDisabled">
@@ -56,14 +56,16 @@
<li class="">
<a href="#" title="">
</a>
</li>
<li class="divider ">/</li>
<li class="">Suppressing False Positives</li>
<span class="divider">/</span>
</li>
<li class="active ">Suppressing False Positives</li>
<li id="publishDate" class="pull-right">Last Published: 2014-01-30</li> <li class="divider pull-right">|</li>
<li id="projectVersion" class="pull-right">Version: 1.1.1</li>
<li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2014-03-03</li>
<li id="projectVersion" class="pull-right">
Version: 1.1.2
</li>
</ul>
</div>
@@ -76,72 +78,72 @@
<ul class="nav nav-list">
<li class="nav-header">Project Documentation</li>
<li>
<a href="project-info.html" title="Project Information">
<i class="icon-chevron-right"></i>
Project Information</a>
</li>
<li class="nav-header">General</li>
<li class="active">
<a href="#"><i class="none"></i>False Positives</a>
</li>
<li>
<a href="dependency-check.pptx" title="Project Presentation (pptx)">
<i class="none"></i>
Project Presentation (pptx)</a>
</li>
<li>
<a href="dependency-check.pdf" title="Project Presentation (pdf)">
<i class="none"></i>
Project Presentation (pdf)</a>
</li>
<li>
<a href="SampleReport.html" title="Sample Report">
<i class="none"></i>
Sample Report</a>
</li>
<li class="nav-header">Modules</li>
<li>
<a href="dependency-check-core/index.html" title="dependency-check-core">
<i class="none"></i>
dependency-check-core</a>
</li>
<li>
<a href="dependency-check-cli/installation.html" title="dependency-check-cli">
<i class="none"></i>
dependency-check-cli</a>
</li>
<li>
<a href="dependency-check-ant/installation.html" title="dependency-check-ant">
<i class="none"></i>
dependency-check-ant</a>
</li>
<li>
<a href="dependency-check-maven/usage.html" title="dependency-check-maven">
<i class="none"></i>
dependency-check-maven</a>
</li>
<li>
<a href="dependency-check-jenkins/index.html" title="dependency-check-jenkins">
<i class="none"></i>
dependency-check-jenkins</a>
@@ -150,10 +152,16 @@
<hr class="divider" />
<hr />
<div id="poweredBy">
<div class="clear"></div>
<script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
<div class="g-plusone" data-href="https://github.com/jeremylong/DependencyCheck.git" data-size="tall" ></div>
<div class="clear"></div>
<div class="clear"></div>
@@ -165,10 +173,17 @@
</div>
<div class="clear"></div>
<a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy">
<img class="builtBy" alt="Built by Maven" src="./images/logos/maven-feather.png" />
<div class="clear"></div>
<a href="http://maven.apache.org/" title="Maven" class="builtBy">
<img class="builtBy" alt="built with maven" src="http://jeremylong.github.io/DependencyCheck/images/logos/maven-feather.png" />
</a>
</div>
<a href="http://maven.apache.org/" title="IntelliJ" class="builtBy">
<img class="builtBy" alt="developed using" src="http://jeremylong.github.io/DependencyCheck/images/logos/logo_intellij_idea.png" width="170px" />
</a>
<a href="http://www.cloudbees.com/" title="Cloudbees" class="builtBy">
<img class="builtBy" alt="built on cloudbees" src="http://jeremylong.github.io/DependencyCheck/images/logos/Button-Built-on-CB-1.png" />
</a>
</div>
</div>
</div>
@@ -192,6 +207,50 @@
&lt;/suppressions&gt;
</pre></div>
<p>The above XML file will suppress the cpe:/a:apache:struts:2.0.0 from any file with the a matching SHA1 hash.</p>
<p>The following shows some other ways to suppress individual findings. Note the ways to select files using either the sha1 hash or the filePath (the filePath can also be a regex). Additionally, there are several things that can be suppressed - individual CPEs, individual CVEs, or all CVE entries below a specified CVSS score. The most common would be suppressing CPEs based off of SHA1 hashes or filePath (regexes) - these entries can be generated using the HTML version of the report. The other common scenario would be to ignore all CVEs below a certain CVSS threshold.</p>
<div class="source">
<pre>&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;
&lt;suppressions
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xmlns='https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression'
xsi:schemaLocation='https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression suppression.xsd'&gt;
&lt;suppress&gt;
&lt;notes&gt;&lt;![CDATA[
This suppresses cpe:/a:csv:csv:1.0 for some.jar in the &quot;c:\path\to&quot; directory.
]]&gt;&lt;/notes&gt;
&lt;filePath&gt;c:\path\to\some.jar&lt;/filePath&gt;
&lt;cpe&gt;cpe:/a:csv:csv:1.0&lt;/cpe&gt;
&lt;/suppress&gt;
&lt;suppress&gt;
&lt;notes&gt;&lt;![CDATA[
This suppresses any jboss:jboss cpe for any test.jar in any directory.
]]&gt;&lt;/notes&gt;
&lt;filePath regex=&quot;true&quot;&gt;.*\btest\.jar&lt;/filePath&gt;
&lt;cpe&gt;cpe:/a:jboss:jboss&lt;/cpe&gt;
&lt;/suppress&gt;
&lt;suppress&gt;
&lt;notes&gt;&lt;![CDATA[
This suppresses a specific cve for any test.jar in any directory.
]]&gt;&lt;/notes&gt;
&lt;filePath regex=&quot;true&quot;&gt;.*\btest\.jar&lt;/filePath&gt;
&lt;cve&gt;CVE-2013-1337&lt;/cve&gt;
&lt;/suppress&gt;
&lt;suppress&gt;
&lt;notes&gt;&lt;![CDATA[
This suppresses a specific cve for any dependency in any directory that has the specified sha1 checksum.
]]&gt;&lt;/notes&gt;
&lt;sha1&gt;384FAA82E193D4E4B0546059CA09572654BC3970&lt;/sha1&gt;
&lt;cve&gt;CVE-2013-1337&lt;/cve&gt;
&lt;/suppress&gt;
&lt;suppress&gt;
&lt;notes&gt;&lt;![CDATA[
This suppresses all CVE entries that have a score below CVSS 7.
]]&gt;&lt;/notes&gt;
&lt;cvssBelow&gt;7&lt;/cvssBelow&gt;
&lt;/suppress&gt;
&lt;/suppressions&gt;
</pre></div>
<p>The full schema for suppression files can be found here: <a class="externalLink" href="https://github.com/jeremylong/DependencyCheck/blob/master/dependency-check-core/src/main/resources/schema/suppression.xsd" title="Suppression Schema">suppression.xsd</a></p>
<p>Please see the appropriate configuration option in each interfaces configuration guide:</p>
@@ -213,15 +272,17 @@
<footer>
<div class="container-fluid">
<div class="row span12">Copyright &copy; 2012-2014
<div class="row-fluid">
<p >Copyright &copy; 2012&#x2013;2014
<a href="http://www.owasp.org">OWASP</a>.
All Rights Reserved.
All rights reserved.
</div>
</p>
</div>
</div>
</footer>
</body>
</body>
</html>