updated suppression schema to require a CPE, CVE, or CVSS Below per issue #488

2026-01-14 07:43:40 +01:00 · 2016-04-24 07:20:11 -04:00
parent bcc2478ef7
commit deda02f879
7 changed files with 65 additions and 13 deletions
--- a/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
+++ b/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<suppressions xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression">
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
    <suppress base="true">
        <notes><![CDATA[
        This suppresses false positives identified on spring security.
--- a/dependency-check-core/src/main/resources/schema/dependency-suppression.1.1.xsd
+++ b/dependency-check-core/src/main/resources/schema/dependency-suppression.1.1.xsd
@@ -0,0 +1,58 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xs:schema id="suppressions"
+           xmlns:xs="http://www.w3.org/2001/XMLSchema"
+           elementFormDefault="qualified"
+           targetNamespace="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
+
+    <xs:complexType name="regexStringType">
+        <xs:simpleContent>
+            <xs:extension base="xs:string">
+                <xs:attribute name="regex" use="optional" type="xs:boolean" default="false"/>
+                <xs:attribute name="caseSensitive" use="optional" type="xs:boolean" default="false"/>
+            </xs:extension>
+        </xs:simpleContent>
+    </xs:complexType>
+    <xs:simpleType name="cvssScoreType">
+        <xs:restriction base="xs:decimal">
+            <xs:minInclusive value="0"/>
+            <xs:maxInclusive value="10"/>
+        </xs:restriction>
+    </xs:simpleType>
+    <xs:simpleType name="cveType">
+        <xs:restriction base="xs:string">
+            <xs:pattern value="((\w+\-)?CVE\-\d\d\d\d\-\d+|\d+)"/>
+        </xs:restriction>
+    </xs:simpleType>
+    <xs:simpleType name="sha1Type">
+        <xs:restriction base="xs:string">
+            <xs:pattern value="[a-fA-F0-9]{40}"/>
+        </xs:restriction>
+    </xs:simpleType>
+    <xs:element name="suppressions">
+        <xs:complexType>
+            <xs:sequence minOccurs="0" maxOccurs="unbounded">
+                <xs:element name="suppress">
+                    <xs:complexType>
+                        <xs:sequence minOccurs="1" maxOccurs="1">
+                            <xs:sequence minOccurs="0" maxOccurs="1">
+                                <xs:element name="notes" type="xs:string"/>
+                            </xs:sequence>
+                            <xs:choice minOccurs="0" maxOccurs="1">
+                                <xs:element name="filePath" type="dc:regexStringType"/>
+                                <xs:element name="sha1" type="dc:sha1Type"/>
+                                <xs:element name="gav" type="dc:regexStringType"/>
+                            </xs:choice>
+                            <xs:choice minOccurs="1" maxOccurs="unbounded">
+                                <xs:element name="cpe" type="dc:regexStringType"/>
+                                <xs:element name="cve" type="dc:cveType"/>
+                                <xs:element name="cwe" type="xs:positiveInteger"/>
+                                <xs:element name="cvssBelow" type="dc:cvssScoreType"/>
+                            </xs:choice>
+                        </xs:sequence>
+                        <xs:attribute name="base" use="optional" type="xs:boolean" default="false"/>
+                    </xs:complexType>
+                </xs:element>
+            </xs:sequence>
+        </xs:complexType>
+    </xs:element>
+</xs:schema>
--- a/dependency-check-core/src/main/resources/schema/suppression.xsd
+++ b/dependency-check-core/src/main/resources/schema/suppression.xsd
@@ -56,4 +56,4 @@
            </xs:sequence>
        </xs:complexType>
    </xs:element>
-</xs:schema>
+</xs:schema>
--- a/dependency-check-core/src/main/resources/templates/HtmlReport.vsl
+++ b/dependency-check-core/src/main/resources/templates/HtmlReport.vsl
@@ -79,7 +79,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                    setTimeout('$("#modal-content,#modal-background").toggleClass("active");',100);
                });
                $('#modal-add-header').click(function () {
-                    xml = '<?xml version="1.0" encoding="UTF-8"?>\n<suppressions xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression">\n   ';
+                    xml = '<?xml version="1.0" encoding="UTF-8"?>\n<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">\n   ';
                    xml += $("#modal-text").text().replace(/\n/g,'\n   ');
                    xml += '\n</suppressions>';
                    $('#modal-text').text(xml).focus().select();
--- a/dependency-check-core/src/test/resources/commons-fileupload-1.2.1.suppression.xml
+++ b/dependency-check-core/src/test/resources/commons-fileupload-1.2.1.suppression.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<suppressions xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression">
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
    <suppress>
        <notes><![CDATA[
        file name: commons-fileupload-1.2.1.jar
--- a/dependency-check-core/src/test/resources/suppressions.xml
+++ b/dependency-check-core/src/test/resources/suppressions.xml
@@ -1,8 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<suppressions
-    xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
-    xmlns='https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression'
-    xsi:schemaLocation='https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression suppression.xsd'>
+<suppressions xmlns='https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd'>
    <suppress>
        <notes><![CDATA[
        This suppresses cpe:/a:csv:csv:1.0 for some.jar in the "c:\path\to" directory.
--- a/src/site/markdown/general/suppression.md
+++ b/src/site/markdown/general/suppression.md
@@ -6,7 +6,7 @@ A sample suppression file would look like:

 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
-<suppressions xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression">
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
   <suppress>
      <notes><![CDATA[
      file name: some.jar
@@ -26,10 +26,7 @@ HTML version of the report. The other common scenario would be to ignore all CVE

 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
-<suppressions
-    xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
-    xmlns='https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression'
-    xsi:schemaLocation='https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression suppression.xsd'>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
    <suppress>
        <notes><![CDATA[
        This suppresses cpe:/a:csv:csv:1.0 for some.jar in the "c:\path\to" directory.