Vulnerability count doesn't account for suppressed findings about dependency-track HOT 9 CLOSED

When adding a component, the dropdown is also a text input field, so you can start typing. Once one component is added, the vendor, component name, and version fields will be populated. As you add more components, there will be more choices in the dropdown.

from dependency-track.

Ah, okay. Thanks!
So are the false positives that are displayed for, say, OpenSSL 1.0.2g caused by dependency-check?
Is there any way to filter them out?

from dependency-track.

Yes, this is caused by dependency-check and can be filtered out using a suppression file. Refer to https://jeremylong.github.io/DependencyCheck/general/suppression.html

Suppressions are global in Dependency-Track, meaning that it's currently not possible to suppress a finding for one application and not another one. The benefit is that you can suppress a finding and all applications with that dependency will now inherent that suppression.

it's been a while since I've worked on the 1.x codebase (the master branch is all 2.x and quite different), but I believe the suppression file goes into ~/.dependency-track directory.

from dependency-track.

Just to follow up for the purposes of anyone else reading this thread - on Windows the file to create is C:\Users\username\dependency-track\data\suppressions.xml.

I can see in the Tomcat output (and in dependency-check-report.html) that the suppressions are being correctly applied and the total as shown by the graph on the Dashboard is correctly excluding the suppressions, but the numbers shown next to the Applications and the CVEs listed on the Vulnerabilities page do not exclude the suppressions.

Is there an easy way to fix this or do I need to edit the database by hand?

(Should I just be using the master branch and building it myself?!)

from dependency-track.

v2.0.0 (in the master branch) is currently in heavy development. I'll make sure this gets fixed in this version.

from dependency-track.

FWIW if I remove the component, restart Tomcat and add it again I get the correct number in the Applications pane, but sadly the Vunerabilities page is still not filtered.

from dependency-track.

(I also couldn't open the database using java -cp ../repo/com/h2database/h2/1.3.176/h2-1.3.176.jar org.h2.tools.Server -tcp -web as I get a "Unique index or primary key violation" error.)

from dependency-track.

FYI, I have branched the project to make the source tree more clear.

• The only stable version (which can also be downloaded in a ready-to-deploy war) is 1.0.x.
• The master and 1.0-stable branches are in sync and should provide an easy way to compile your own war resulting in a working application.
• The 2.0-dev-springboot branch is unstable and has many issues. I do not intend to ever release this version. Just too many issues overall. This work was previously performed in the master branch but has since been reverted and separated to its own branch.
• All new development is being done in the 3.0-dev branch and is a complete rewrite of Dependency-Track from the ground up using modern technologies and an API-first design. It also doesn't rely on Spring.

from dependency-track.

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

from dependency-track.