英文:
Suppress OWASP findings for JAR in certain dependency
问题
插件dependency-check-maven 正确地列出了以下问题:
<!-- language: lang-none -->
swagger-codegen-generators-1.0.19.jar: gradle-wrapper.jar: CVE-2016-6199,CVE-2019-16370,CVE-2019-11065,CVE-2019-15052
但是,我想在swagger-codegen-generators-1.0.19.jar内抑制gradle-wrapper.jar的CVE漏洞。
我目前尝试过的方法:
<!-- language: lang-xml -->
<!-- 可行,但无法限制到swagger-codegen-generators依赖 -->
<suppress>
<filePath regex="true">.*\bgradle-wrapper\.jar</filePath>
<cve>CVE-2016-6199</cve>
<cve>CVE-2019-11065</cve>
<cve>CVE-2019-15052</cve>
<cve>CVE-2019-16370</cve>
</suppress>
<!-- 由于其他被忽略的CVE不匹配,gav似乎是正确的 -->
<suppress>
<gav regex="true">^io\.swagger\.codegen\.v3:swagger-codegen-generators:.*$</gav>
<cve>CVE-2016-6199</cve>
<cve>CVE-2019-11065</cve>
<cve>CVE-2019-15052</cve>
<cve>CVE-2019-16370</cve>
</suppress>
<!-- 从报告中生成;可行,但无法限制到swagger-codegen-generators依赖(gradle-wrapper.jar的sha1) -->
<suppress>
<notes><![CDATA[
文件名:swagger-codegen-generators-1.0.19.jar: gradle-wrapper.jar
]]></notes>
<sha1>0f6f1fa2b59ae770ca14f975726bed8d6620ed9b</sha1>
<cve>CVE-2016-6199</cve>
<cve>CVE-2019-11065</cve>
<cve>CVE-2019-15052</cve>
<cve>CVE-2019-16370</cve>
</suppress>
英文:
The dependency-check-maven plugin correctly lists the following issue:
<!-- language: lang-none -->
swagger-codegen-generators-1.0.19.jar: gradle-wrapper.jar: CVE-2016-6199, CVE-2019-16370, CVE-2019-11065, CVE-2019-15052
Anyway, I want to suppress the CVEs for gradle-wrapper.jar within swagger-codegen-generators-1.0.19.jar.
What I have tried so far:
<!-- language: lang-xml -->
<!-- works, but does not restrict to swagger-codegen-generators dependency -->
<suppress>
<filePath regex="true">.*\bgradle-wrapper\.jar</filePath>
<cve>CVE-2016-6199</cve>
<cve>CVE-2019-11065</cve>
<cve>CVE-2019-15052</cve>
<cve>CVE-2019-16370</cve>
</suppress>
<!-- does not match, due to other ignored CVEs the gav seems to be correct -->
<suppress>
<gav regex="true">^io\.swagger\.codegen\.v3:swagger-codegen-generators:.*$</gav>
<cve>CVE-2016-6199</cve>
<cve>CVE-2019-11065</cve>
<cve>CVE-2019-15052</cve>
<cve>CVE-2019-16370</cve>
</suppress>
<!-- generated from the report; works, but does not restrict to swagger-codegen-generators dependency (sha1 of gradle-wrapper.jar) -->
<suppress>
<notes><![CDATA[
file name: swagger-codegen-generators-1.0.19.jar: gradle-wrapper.jar
]]></notes>
<sha1>0f6f1fa2b59ae770ca14f975726bed8d6620ed9b</sha1>
<cve>CVE-2016-6199</cve>
<cve>CVE-2019-11065</cve>
<cve>CVE-2019-15052</cve>
<cve>CVE-2019-16370</cve>
</suppress>
答案1
得分: 1
我可以通过从报告文件中获取的文件路径描述它。
<!-- language: lang-xml -->
<suppress>
<filePath regex="true">.*\bswagger-codegen-generators.*\bgradle-wrapper\.jar</filePath>
<cve>CVE-2016-6199</cve>
<cve>CVE-2019-11065</cve>
<cve>CVE-2019-15052</cve>
<cve>CVE-2019-16370</cve>
</suppress>
英文:
I was able to describe it over the file path that I got from the report file target/dependency-check-report.html.
<!-- language: lang-xml -->
<suppress>
<filePath regex="true">.*\bswagger-codegen-generators.*\bgradle-wrapper\.jar</filePath>
<cve>CVE-2016-6199</cve>
<cve>CVE-2019-11065</cve>
<cve>CVE-2019-15052</cve>
<cve>CVE-2019-16370</cve>
</suppress>
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论