mirror of
https://github.com/ysoftdevs/DependencyCheck.git
synced 2026-01-13 23:33:37 +01:00
321 lines
14 KiB
HTML
321 lines
14 KiB
HTML
<!DOCTYPE html>
|
|
<!--
|
|
| Generated by Apache Maven Doxia Site Renderer 1.7.1 at 2017-01-22
|
|
| Rendered using Apache Maven Fluido Skin 1.5
|
|
-->
|
|
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
|
|
<head>
|
|
<meta charset="UTF-8" />
|
|
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
|
|
<meta name="Date-Revision-yyyymmdd" content="20170122" />
|
|
<meta http-equiv="Content-Language" content="en" />
|
|
<title>dependency-check – Suppressing False Positives</title>
|
|
<link rel="stylesheet" href="../css/apache-maven-fluido-1.5.min.css" />
|
|
<link rel="stylesheet" href="../css/site.css" />
|
|
<link rel="stylesheet" href="../css/print.css" media="print" />
|
|
|
|
|
|
<script type="text/javascript" src="../js/apache-maven-fluido-1.5.min.js"></script>
|
|
|
|
<style type="text/css">
|
|
#bannerLeft { margin-top:-20px;margin-bottom:5px !important }
|
|
</style>
|
|
</head>
|
|
<body class="topBarDisabled">
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<a href="https://github.com/jeremylong/DependencyCheck">
|
|
<img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;"
|
|
src="https://s3.amazonaws.com/github/ribbons/forkme_right_gray_6d6d6d.png"
|
|
alt="Fork me on GitHub">
|
|
</a>
|
|
|
|
|
|
|
|
|
|
<div class="container-fluid">
|
|
<div id="banner">
|
|
<div class="pull-left">
|
|
<div id="bannerLeft">
|
|
<img src="../images/dc.svg" alt="OWASP dependency-check"/>
|
|
</div>
|
|
</div>
|
|
<div class="pull-right"> </div>
|
|
<div class="clear"><hr/></div>
|
|
</div>
|
|
|
|
<div id="breadcrumbs">
|
|
<ul class="breadcrumb">
|
|
|
|
<li class="">
|
|
<a href="../#" title="">
|
|
</a>
|
|
<span class="divider">/</span>
|
|
</li>
|
|
<li class="active ">Suppressing False Positives</li>
|
|
|
|
|
|
<li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2017-01-22</li>
|
|
<li id="projectVersion" class="pull-right">
|
|
Version: 1.4.5
|
|
</li>
|
|
|
|
</ul>
|
|
</div>
|
|
|
|
|
|
<div class="row-fluid">
|
|
<div id="leftColumn" class="span2">
|
|
<div class="well sidebar-nav">
|
|
|
|
<ul class="nav nav-list">
|
|
<li class="nav-header">OWASP dependency-check</li>
|
|
|
|
<li>
|
|
|
|
<a href="../index.html" title="General">
|
|
<span class="icon-chevron-down"></span>
|
|
General</a>
|
|
<ul class="nav nav-list">
|
|
|
|
<li>
|
|
|
|
<a href="../general/internals.html" title="How it Works">
|
|
<span class="none"></span>
|
|
How it Works</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="../general/thereport.html" title="Reading the Report">
|
|
<span class="none"></span>
|
|
Reading the Report</a>
|
|
</li>
|
|
|
|
<li class="active">
|
|
|
|
<a href="#"><span class="none"></span>False Positives</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="../general/hints.html" title="False Negatives">
|
|
<span class="none"></span>
|
|
False Negatives</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="../data/index.html" title="Internet Access Required">
|
|
<span class="icon-chevron-right"></span>
|
|
Internet Access Required</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="../related.html" title="Related Work">
|
|
<span class="none"></span>
|
|
Related Work</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="../general/dependency-check.pptx" title="Project Presentation (pptx)">
|
|
<span class="none"></span>
|
|
Project Presentation (pptx)</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="../general/dependency-check.pdf" title="Project Presentation (pdf)">
|
|
<span class="none"></span>
|
|
Project Presentation (pdf)</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="../general/SampleReport.html" title="Sample Report">
|
|
<span class="none"></span>
|
|
Sample Report</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="../general/scan_iso.html" title="How to Scan an ISO Image">
|
|
<span class="none"></span>
|
|
How to Scan an ISO Image</a>
|
|
</li>
|
|
</ul>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="../analyzers/index.html" title="File Type Analyzers">
|
|
<span class="icon-chevron-right"></span>
|
|
File Type Analyzers</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="../modules.html" title="Modules">
|
|
<span class="icon-chevron-right"></span>
|
|
Modules</a>
|
|
</li>
|
|
<li class="nav-header">Project Documentation</li>
|
|
|
|
<li>
|
|
|
|
<a href="../project-info.html" title="Project Information">
|
|
<span class="icon-chevron-right"></span>
|
|
Project Information</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="../project-reports.html" title="Project Reports">
|
|
<span class="icon-chevron-right"></span>
|
|
Project Reports</a>
|
|
</li>
|
|
</ul>
|
|
|
|
|
|
<hr />
|
|
|
|
<div id="poweredBy">
|
|
|
|
<script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
|
|
|
|
|
|
<div class="g-plusone" data-href="https://github.com/jeremylong/DependencyCheck.git" data-size="tall" ></div>
|
|
|
|
<div class="clear"></div>
|
|
<div class="clear"></div>
|
|
|
|
|
|
|
|
<div id="twitter">
|
|
|
|
<a href="https://twitter.com/ctxt" class="twitter-follow-button" data-show-count="true" data-align="left" data-size="medium" data-show-screen-name="true" data-lang="en">Follow ctxt</a>
|
|
<script type="text/javascript">!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="//platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs");</script>
|
|
|
|
</div>
|
|
<div class="clear"></div>
|
|
<div class="clear"></div>
|
|
<a href="http://maven.apache.org/" title="Maven" class="builtBy">
|
|
<img class="builtBy" alt="built with maven" src="http://jeremylong.github.io/DependencyCheck/images/logos/maven-feather.png" />
|
|
</a>
|
|
<a href="http://www.jetbrains.com/idea/" title="IntelliJ" class="builtBy">
|
|
<img class="builtBy" alt="developed using" src="http://jeremylong.github.io/DependencyCheck/images/logos/logo_intellij_idea.png" width="170px" />
|
|
</a>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
|
|
|
|
<div id="bodyColumn" class="span10" >
|
|
|
|
<h1>Suppressing False Positives</h1>
|
|
<p>Due to <a href="internals.html">how dependency-check identifies libraries</a> false positives may occur (i.e. a CPE was identified that is incorrect). Suppressing these false positives is fairly easy using the HTML report. In the report next to each CPE identified (and on CVE entries) there is a suppress button. Clicking the suppression button will create a dialogue box which you can simple hit Control-C to copy the XML that you would place into a suppression XML file. If this is the first time you are creating the suppression file you should click the “Complete XML Doc” button on the top of the dialogue box to add the necessary schema elements.</p>
|
|
<p>A sample suppression file would look like:</p>
|
|
|
|
<div class="source">
|
|
<div class="source"><pre class="prettyprint linenums"><?xml version="1.0" encoding="UTF-8"?>
|
|
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
|
|
<suppress>
|
|
<notes><![CDATA[
|
|
file name: some.jar
|
|
]]></notes>
|
|
<sha1>66734244CE86857018B023A8C56AE0635C56B6A1</sha1>
|
|
<cpe>cpe:/a:apache:struts:2.0.0</cpe>
|
|
</suppress>
|
|
</suppressions>
|
|
</pre></div></div>
|
|
<p>The above XML file will suppress the cpe:/a:apache:struts:2.0.0 from any file with the a matching SHA1 hash.</p>
|
|
<p>The following shows some other ways to suppress individual findings. Note the ways to select files using either the sha1 hash or the filePath (the filePath can also be a regex). Additionally, there are several things that can be suppressed - individual CPEs, individual CVEs, or all CVE entries below a specified CVSS score. The most common would be suppressing CPEs based off of SHA1 hashes or filePath (regexes) - these entries can be generated using the HTML version of the report. The other common scenario would be to ignore all CVEs below a certain CVSS threshold.</p>
|
|
|
|
<div class="source">
|
|
<div class="source"><pre class="prettyprint linenums"><?xml version="1.0" encoding="UTF-8"?>
|
|
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
|
|
<suppress>
|
|
<notes><![CDATA[
|
|
This suppresses cpe:/a:csv:csv:1.0 for some.jar in the "c:\path\to" directory.
|
|
]]></notes>
|
|
<filePath>c:\path\to\some.jar</filePath>
|
|
<cpe>cpe:/a:csv:csv:1.0</cpe>
|
|
</suppress>
|
|
<suppress>
|
|
<notes><![CDATA[
|
|
This suppresses any jboss:jboss cpe for any test.jar in any directory.
|
|
]]></notes>
|
|
<filePath regex="true">.*\btest\.jar</filePath>
|
|
<cpe>cpe:/a:jboss:jboss</cpe>
|
|
</suppress>
|
|
<suppress>
|
|
<notes><![CDATA[
|
|
This suppresses a specific cve for any test.jar in any directory.
|
|
]]></notes>
|
|
<filePath regex="true">.*\btest\.jar</filePath>
|
|
<cve>CVE-2013-1337</cve>
|
|
</suppress>
|
|
<suppress>
|
|
<notes><![CDATA[
|
|
This suppresses a specific cve for any dependency in any directory that has the specified sha1 checksum.
|
|
]]></notes>
|
|
<sha1>384FAA82E193D4E4B0546059CA09572654BC3970</sha1>
|
|
<cve>CVE-2013-1337</cve>
|
|
</suppress>
|
|
<suppress>
|
|
<notes><![CDATA[
|
|
This suppresses all CVE entries that have a score below CVSS 7.
|
|
]]></notes>
|
|
<cvssBelow>7</cvssBelow>
|
|
</suppress>
|
|
<suppress>
|
|
<notes><![CDATA[
|
|
This suppresses false positives identified on spring security.
|
|
]]></notes>
|
|
<gav regex="true">org\.springframework\.security:spring.*</gav>
|
|
<cpe>cpe:/a:vmware:springsource_spring_framework</cpe>
|
|
<cpe>cpe:/a:springsource:spring_framework</cpe>
|
|
<cpe>cpe:/a:mod_security:mod_security</cpe>
|
|
</suppress>
|
|
</suppressions>
|
|
</pre></div></div>
|
|
<p>The full schema for suppression files can be found here: <a class="externalLink" href="https://github.com/jeremylong/DependencyCheck/blob/master/dependency-check-core/src/main/resources/schema/suppression.xsd" title="Suppression Schema">suppression.xsd</a></p>
|
|
<p>Please see the appropriate configuration option in each interfaces configuration guide:</p>
|
|
|
|
<ul>
|
|
|
|
<li><a href="../dependency-check-cli/arguments.html">Command Line Tool</a></li>
|
|
|
|
<li><a href="../dependency-check-maven/configuration.html">Maven Plugin</a></li>
|
|
|
|
<li><a href="../dependency-check-ant/configuration.html">Ant Task</a></li>
|
|
|
|
<li><a href="../dependency-check-jenkins/index.html">Jenkins Plugin</a></li>
|
|
</ul>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
|
|
<hr/>
|
|
|
|
<footer>
|
|
<div class="container-fluid">
|
|
<div class="row-fluid">
|
|
<p >Copyright © 2012–2017
|
|
<a href="http://www.owasp.org">OWASP</a>.
|
|
All rights reserved.
|
|
</p>
|
|
</div>
|
|
|
|
|
|
</div>
|
|
</footer>
|
|
</body>
|
|
</html>
|