Comments (9)
When adding a component, the dropdown is also a text input field, so you can start typing. Once one component is added, the vendor, component name, and version fields will be populated. As you add more components, there will be more choices in the dropdown.
from dependency-track.
Ah, okay. Thanks!
So are the false positives that are displayed for, say, OpenSSL 1.0.2g caused by dependency-check?
Is there any way to filter them out?
from dependency-track.
Yes, this is caused by dependency-check and can be filtered out using a suppression file. Refer to https://jeremylong.github.io/DependencyCheck/general/suppression.html
Suppressions are global in Dependency-Track, meaning that it's currently not possible to suppress a finding for one application and not another one. The benefit is that you can suppress a finding and all applications with that dependency will now inherent that suppression.
it's been a while since I've worked on the 1.x codebase (the master branch is all 2.x and quite different), but I believe the suppression file goes into ~/.dependency-track directory.
from dependency-track.
Just to follow up for the purposes of anyone else reading this thread - on Windows the file to create is C:\Users\username\dependency-track\data\suppressions.xml.
I can see in the Tomcat output (and in dependency-check-report.html) that the suppressions are being correctly applied and the total as shown by the graph on the Dashboard is correctly excluding the suppressions, but the numbers shown next to the Applications and the CVEs listed on the Vulnerabilities page do not exclude the suppressions.
Is there an easy way to fix this or do I need to edit the database by hand?
(Should I just be using the master branch and building it myself?!)
from dependency-track.
v2.0.0 (in the master branch) is currently in heavy development. I'll make sure this gets fixed in this version.
from dependency-track.
FWIW if I remove the component, restart Tomcat and add it again I get the correct number in the Applications pane, but sadly the Vunerabilities page is still not filtered.
from dependency-track.
(I also couldn't open the database using java -cp ../repo/com/h2database/h2/1.3.176/h2-1.3.176.jar org.h2.tools.Server -tcp -web
as I get a "Unique index or primary key violation" error.)
from dependency-track.
FYI, I have branched the project to make the source tree more clear.
- The only stable version (which can also be downloaded in a ready-to-deploy war) is 1.0.x.
- The master and 1.0-stable branches are in sync and should provide an easy way to compile your own war resulting in a working application.
- The 2.0-dev-springboot branch is unstable and has many issues. I do not intend to ever release this version. Just too many issues overall. This work was previously performed in the master branch but has since been reverted and separated to its own branch.
- All new development is being done in the 3.0-dev branch and is a complete rewrite of Dependency-Track from the ground up using modern technologies and an API-first design. It also doesn't rely on Spring.
from dependency-track.
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
from dependency-track.
Related Issues (20)
- Apiserver gives 500 error with PingFederate/Google OpenID HOT 1
- In NewVulnerabilityIdentified - affectedProjects should contains only active projects HOT 2
- user added components shall not be deleted after SBOM import
- package-lock.json shows up as a component - false positives in compliance
- Performance: Reduce over-fetching for Project Lists children
- Finding `Attributed On` date is not retained when cloning projects
- Create new access right VIEW_PROJECT to prevent dashboard access HOT 1
- Remove nuget pre-release packages from being returned.
- Exception taken importing a valid SBOM. Appears to be bom-ref related HOT 18
- API /api/v1/analysis - PUT call does not populate analisisDetail HOT 2
- Any plans on generating a Windows Docker Image? HOT 2
- Wrong Latest version reported by using github package URL HOT 5
- Uploading a BOM doesn't update the license of any existing components HOT 1
- False Positive with nextcloud artifacts HOT 6
- Test mail is not sent HOT 1
- LDAP auth doesn't work for users with cyrillic names HOT 3
- OIDC login CORS error HOT 4
- Update to SPDX License List 3.23
- API Patch Project endpoint silently ignore purl value in object form HOT 5
- Cargo Component Info Not Displaying in Dependency Track HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dependency-track.