Is OWASP Dependency-Check still worth running in CI?
java - OWASP Dependency check, how to use suppressions - Stack Overflow
How often do you review your dependencies?
OWASP dependency checker
Videos
Been using Dependency-Check for years. Starting to feel like it’s mostly noise now. CPE matching is still messy, false positives are common, and the suppression file becomes its own maintenance project.
Do you find it still useful? Or it became a legacy checkbox scanner?
Below answer is based on gradle OWASP plugin version 7.4.4.
Below in my build.gradle
id "org.owasp.dependencycheck" version "7.4.4"
And below is the task configuration
dependencyCheck {
formats = ['xml','json']
failBuildOnCVSS = 8
failOnError = true
suppressionFile = 'config/dependency-check/suppressions.xml'
check.dependsOn(dependencyCheckAnalyze)
}
And as you see we have provided a path to suppressionFile where we can define the suppression for vulnerabilities.
So, in my case our sonar build was failing due to
Filename: spring-security-oauth2-client-5.6.3.jar | Reference: CVE-2022-22978 | CVSS Score: 9.8
Filename: snakeyaml-1.33.jar | Reference: CVE-2022-1471 | CVSS Score: 9.8
So, I have added them in Suppression.xml and my file looks like below
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress until="2023-06-01Z">
<notes><![CDATA[
This suppresses a CVE from SnakeYaml as it needs to wait until SpringBoot 3 upgrade
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
<vulnerabilityName>CVE-2022-1471</vulnerabilityName>
</suppress>
<suppress until="2023-06-01Z">
<notes><![CDATA[
This suppresses a CVE from OAuth Client as it needs to wait until SpringBoot 3 upgrade
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-oauth2\-client@.*$</packageUrl>
<vulnerabilityName>CVE-2022-22978</vulnerabilityName>
</suppress>
</suppressions>
I recommend to use until="2023-06-01Z" so you don't suppress them forever.
Vulnerabilities can be suppressed in number of different combinations. So, please refer https://jeremylong.github.io/DependencyCheck/general/suppression.html and decide which option suits your requirement.
#1 Click on the 'artifacts' tab on the OWASP dependency check task in CI and the html report is there.
#2 'File' in this context means the file inside the jar that is warranting the dependency issue. It will be given to you in the html report.