Comments (5)
stevespringett
commented on May 24, 2024
Can you clarify.
If a finding is suppressed, does it still show as being vulnerable in the report? If so, this is a defect that needs correcting.
If you're referring to the absence of the suppressed vulnerability nodes in the dynamically generated report, this is a known issue. The data model currently doesn't support it, nor did I envision this being a requirement. Is this a feature you envision using? If so, I'll flag it as an enhancement.
from dependency-track.
CalldiDoctor
commented on May 24, 2024
I think I'm referring to the defect.
The thing is that I add the suppression item in the suppressions.xml file, and in the next daily report it still appears as a vulnerability in the dynamic report created by the application.
However, in the report created by the dependency-check, and stored in the app dir, the vulnerability does not appear, and the vulnerabilities suppressed counter is increased by one (This does not happen in the report created by the application).
from dependency-track.
stevespringett
commented on May 24, 2024
I see where the issues are. I need to fix this so that the historic data of the vulnerability remains but the current vulnerabilities (as of now) account for suppressions. This should reflect in the dashboard graph as well (a decrease in vulnerabilities when suppressions are used).
from dependency-track.
stevespringett
commented on May 24, 2024
FYI, I have branched the project to make the source tree more clear.
- The only stable version (which can also be downloaded in a ready-to-deploy war) is 1.0.x.
- The master and 1.0-stable branches are in sync and should provide an easy way to compile your own war resulting in a working application.
- The 2.0-dev-springboot branch is unstable and has many issues. I do not intend to ever release this version. Just too many issues overall. This work was previously performed in the master branch but has since been reverted and separated to its own branch.
- All new development is being done in the 3.0-dev branch and is a complete rewrite of Dependency-Track from the ground up using modern technologies and an API-first design. It also doesn't rely on Spring.
from dependency-track.
lock
commented on May 24, 2024
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
from dependency-track.
Related Issues (20)
- Add support for Amazon ALAS datasources for Amazon Linux 1, 2 & 2023 HOT 3
- Enhance metrics to include audited/unaudited violations by classification HOT 2
- A field with a length greater than 255 is causing an error during BOM processing. HOT 1
- issues with team notifications HOT 5
- Expiration support for vulnerability suppressions
- Automatically convert package-lock.json to CycloneDX and import HOT 1
- Ability to create a policy condition based on "Attributed on" value.
- Notification not triggered for existing vulnerabilities HOT 1
- Enhance MS Teams alerts with project name and URL on BOM_PROCESSING_FAILED events HOT 1
- Dependency-Track Should Perform Update Check HOT 2
- JSON Schema for NVD Vulnerability Data API version 2.1.0 HOT 2
- Global Suppression for Withdrawn or Rejected CVEs/Vulnerabilities HOT 3
- Incomplete Recognition of Users/Projects Created through APIs. HOT 1
- Use cpe and/or purl from cyclonedx metadata.component to set project cpe and/or purl. HOT 1
- API returns 500 Internal Server Error instead of 405
- Vulnerability Table Error HOT 2
- About the Restful API error: lookup and search HOT 1
- Unique constraint violation while mirroring NVD via feed files
- Flutter packages (pub) get vulnerability from npm HOT 1
- Cannot delete OpenID Connect users HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dependency-track.