Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add 'suppress until' config to temporarily suppress a vulnerability #1145

Closed
siladu opened this issue Mar 22, 2018 · 4 comments
Closed

Add 'suppress until' config to temporarily suppress a vulnerability #1145

siladu opened this issue Mar 22, 2018 · 4 comments

Comments

@siladu
Copy link

siladu commented Mar 22, 2018

In a situation where we know a dependency vulnerability fix is incoming, it would be nice to not have to remember to un-suppress it.

For example, CVE-2018-7489 is fixed: FasterXML/jackson-databind#1931
but awaiting release: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.5

Example

Proposed new config added to reenable warnings after specified date: <until>2018-04-01</until>

    <suppress>
        <notes><![CDATA[
   file name: jackson-databind-2.9.4.jar
   ]]></notes>
        <gav regex="true">^com\.fasterxml\.jackson\.core:jackson-databind:.*$</gav>
        <cve>CVE-2018-7489</cve>
        <until>2018-04-01</until>
    </suppress>

Similar to https://github.com/unruly/junit-rules/blob/master/README.md#ignore-tests-until-a-certain-date-or-datetime

@jeremylong
Copy link
Owner

Interesting idea - thanks for the suggestion. It may take us a while to get to this - but PRs are always welcome.

@aikebah
Copy link
Collaborator

aikebah commented Mar 25, 2018

@jeremylong I'm willing to give this a try.... I'll try to come up with a PR for this

aikebah added a commit to aikebah/DependencyCheck that referenced this issue Mar 25, 2018
aikebah added a commit to aikebah/DependencyCheck that referenced this issue Apr 8, 2018
aikebah added a commit to aikebah/DependencyCheck that referenced this issue Apr 8, 2018
jeremylong added a commit that referenced this issue Apr 8, 2018
@jeremylong
Copy link
Owner

Note - we still need to update the documentation on this feature. Regardless - Thanks for the PR!

@lock
Copy link

lock bot commented Sep 27, 2018

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked and limited conversation to collaborators Sep 27, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

3 participants