feat: support multple cvssBelow thesholds per version (#2563) #8024
Conversation
boring-cyborg
bot
added
core
|
If there are any additional changes requested or feedback on this, I'd be happy to update the changes to reflect those. |
|
I'll need to re-review before I merge - but this will likely be included in the next minor release. I think there might be one more point release before I merge the three feature PRs. |
|
@mwardell-agfa I apologize for how long this has taken us to get to. We have two PRs trying to create the 1.4 schema. I just merged the other. Any chance you'd be willing to update this PR? |
jeremylong
left a comment
jeremylong
left a comment
There was a problem hiding this comment.
Merge conflicts need to be resolved.
|
Sorry for the delayed response, I'll take care of the conflicts |
mwardell-agfa
force-pushed
the
feat/2563-cvssBelow-per-version
branch
from
eeb4019 to
d560a5a
Compare
jeremylong
left a comment
jeremylong
left a comment
There was a problem hiding this comment.
1.4 was never part of a release - I was hoping to get both of the suppression schema updates into 1.4.
core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionParser.java
Outdated
Show resolved
Hide resolved
core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionParser.java
Outdated
Show resolved
Hide resolved
core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionParser.java
Outdated
Show resolved
Hide resolved
core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionParser.java
Outdated
Show resolved
Hide resolved
mwardell-agfa
force-pushed
the
feat/2563-cvssBelow-per-version
branch
from
d560a5a to
fef33cb
Compare
|
My changes should be merged into the 1.4 schema now |
|
The failure is some weird cross-arch docker issue with ruby and QEMU unrelated to the PR. A rerun will probably fix it. Possibly some teething issue with the new Docker 29 and buildx/buildkit versions. Hopefully they fix it upstream soon enough. Also the Ruby version on Alpine is outdated/unpatched ( |
3 participants
Description of Change
Implements the proposed changes in #2563. Adds 3 cvssVnBelow thresholds in the suppression configuration, one for each version (n=2, 3 and 4). The suppression logic is updated so that a vulnerability will only be suppressed if all the version scores are below their cvssVnBelow values. For existing suppressions using cvssBelow nothing changes, only when cvssVnBelow elements are included in the suppression with the new functionality be applied.
For example, in the existing implementation if a vulnerability has a scores of say 5 (V2) and 9 (V3) and cvssBelow is set to 7. The vulnerability is suppressed due to the V2 score of 5. This new functionality will allow a suppression to be configured with cvssV2Below=7, cvssV3Below=7, and then the same vulnerability will not get suppressed since all the cvssBelow checks do not agree to suppress.
Related issues
Fixes #2563
Have test cases been added to cover the new functionality?
yes