updated to address issue #74

Former-commit-id: d562b1785a7f9b32dff7cd84351eed96c775fdcf
2026-01-14 15:53:36 +01:00 · 2014-03-02 18:26:58 -05:00
parent b3932ae8c5
commit d1ca951ffa
1 changed files with 49 additions and 0 deletions
--- a/src/site/markdown/suppression.md
+++ b/src/site/markdown/suppression.md
@@ -18,6 +18,55 @@ A sample suppression file would look like:
 ```
 The above XML file will suppress the cpe:/a:apache:struts:2.0.0 from any file with the a matching SHA1 hash.

+The following shows some other ways to suppress individual findings. Note the ways to select files using either
+the sha1 hash or the filePath (the filePath can also be a regex). Additionally, there are several things that
+can be suppressed - individual CPEs, individual CVEs, or all CVE entries below a specified CVSS score. The most common
+would be suppressing CPEs based off of SHA1 hashes or filePath (regexes) - these entries can be generated using the
+HTML version of the report. The other common scenario would be to ignore all CVEs below a certain CVSS threshold.
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions
+    xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
+    xmlns='https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression'
+    xsi:schemaLocation='https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression suppression.xsd'>
+    <suppress>
+        <notes><![CDATA[
+        This suppresses cpe:/a:csv:csv:1.0 for some.jar in the "c:\path\to" directory.
+        ]]></notes>
+        <filePath>c:\path\to\some.jar</filePath>
+        <cpe>cpe:/a:csv:csv:1.0</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+        This suppresses any jboss:jboss cpe for any test.jar in any directory.
+        ]]></notes>
+        <filePath regex="true">.*\btest\.jar</filePath>
+        <cpe>cpe:/a:jboss:jboss</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+        This suppresses a specific cve for any test.jar in any directory.
+        ]]></notes>
+        <filePath regex="true">.*\btest\.jar</filePath>
+        <cve>CVE-2013-1337</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+        This suppresses a specific cve for any dependency in any directory that has the specified sha1 checksum.
+        ]]></notes>
+        <sha1>384FAA82E193D4E4B0546059CA09572654BC3970</sha1>
+        <cve>CVE-2013-1337</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+        This suppresses all CVE entries that have a score below CVSS 7.
+        ]]></notes>
+        <cvssBelow>7</cvssBelow>
+    </suppress>
+</suppressions>
+```
+
 The full schema for suppression files can be found here: [suppression.xsd](https://github.com/jeremylong/DependencyCheck/blob/master/dependency-check-core/src/main/resources/schema/suppression.xsd "Suppression Schema")

 Please see the appropriate configuration option in each interfaces configuration guide: