Skip to content

feat: package and utilize generated suppression file #8116

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

feat: package and utilize generated suppression file #8116

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
a3513cc
feat: package and utilize generated suppression file
jeremylong Nov 10, 2025
2f3a2ea
fix: use different downloader per copilot
jeremylong Nov 10, 2025
c1f7ded
Apply suggestion from @jeremylong
jeremylong Nov 10, 2025
1d58894
Apply suggestion from @jeremylong
jeremylong Nov 10, 2025
f61f551
Apply suggestions from code review
jeremylong Nov 10, 2025
cab3470
Apply suggestion from @jeremylong
jeremylong Nov 10, 2025
aa38606
Apply suggestion from @jeremylong
jeremylong Nov 10, 2025
a9748b2
fix: dependency relocated
jeremylong Nov 18, 2025
ff0a23a
Merge branch 'main' into scratch/download-generated
nhumblot Nov 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions core/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,25 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
</testResource>
</testResources>
<plugins>
<plugin>
<groupId>com.googlecode.maven-download-plugin</groupId>
Copy link
Collaborator

@nhumblot nhumblot Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

issue: this seems to generate the following warning when performing a mvn -s settings.xml clean install:

[WARNING] 
[WARNING] Some problems were encountered while building the effective model for org.owasp:dependency-check-core:jar:12.1.10-SNAPSHOT
[WARNING] 'build.plugins.plugin.version' for com.googlecode.maven-download-plugin:download-maven-plugin is missing. @ line 103, column 21
[WARNING] 
[WARNING] It is highly recommended to fix these problems because they threaten the stability of your build.
[WARNING] 
[WARNING] For this reason, future Maven versions might no longer support building such malformed projects.
[WARNING]

Copy link
Collaborator

@nhumblot nhumblot Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
<groupId>com.googlecode.maven-download-plugin</groupId>
<groupId>io.github.download-maven-plugin</groupId>

Copy link
Collaborator

@chadlwilson chadlwilson Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops, missed this in my proposed edit earlier - thx!

<artifactId>download-maven-plugin</artifactId>
<version>1.13.0</version>
<executions>
<execution>
<id>download-published-suppressions</id>
<phase>generate-resources</phase>
<goals>
<goal>wget</goal>
</goals>
<configuration>
<url>https://dependency-check.github.io/DependencyCheck/suppressions/publishedSuppressions.xml</url>
<outputDirectory>${project.build.directory}/classes</outputDirectory>
<outputFileName>generated-suppressions.xml</outputFileName>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.jsonschema2pojo</groupId>
<artifactId>jsonschema2pojo-maven-plugin</artifactId>
Expand Down
21 changes: 18 additions & 3 deletions core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,10 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
* The file name of the base suppression XML file.
*/
private static final String BASE_SUPPRESSION_FILE = "dependencycheck-base-suppression.xml";
/**
* The file name of the generated suppression XML file.
*/
private static final String GENERATED_SUPPRESSION_FILE = "generated-suppressions.xml";
Copy link
Collaborator

@chadlwilson chadlwilson Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we keep this approach, perhaps we could try and align on language to make it a bit less confusing.

Right now it is referred to as

  • "hosted" suppressions (main runtime terminology at runtime in ODC; but implies a remote source)
  • "generated" suppressions (really refers to the automation workflows and the special branch they are tracked on)
  • "published" suppressions (the file name when promoted to GitHub pages from source control, and bootstrapped here)

I wonder if referring to as dependencycheck-published-suppression-snapshot.xml would be better, or dependencycheck-hosted-suppression-snapshot.xml.

/**
* The key used to store and retrieve the suppression files.
*/
Expand Down Expand Up @@ -195,17 +199,28 @@ private void loadSuppressionBaseData(final Engine engine) throws SuppressionPars
* @throws SuppressionParseException thrown if the XML cannot be parsed.
*/
private void loadPackagedSuppressionBaseData(final SuppressionParser parser, final Engine engine) throws SuppressionParseException {
loadPackagedSuppressionBaseData(BASE_SUPPRESSION_FILE, parser, engine);
loadPackagedSuppressionBaseData(GENERATED_SUPPRESSION_FILE, parser, engine);
}
/**
* Loads the base suppression rules packaged with the application.
*
* @param parser The suppression parser to use
* @param engine a reference the dependency-check engine
* @throws SuppressionParseException thrown if the XML cannot be parsed.
*/
private void loadPackagedSuppressionBaseData(final String packagedFileName, final SuppressionParser parser, final Engine engine) throws SuppressionParseException {
List<SuppressionRule> ruleList = null;
final URL jarLocation = AbstractSuppressionAnalyzer.class.getProtectionDomain().getCodeSource().getLocation();
String suppressionFileLocation = jarLocation.getFile();
if (suppressionFileLocation.endsWith(".jar")) {
suppressionFileLocation = "jar:file:" + suppressionFileLocation + "!/" + BASE_SUPPRESSION_FILE;
suppressionFileLocation = "jar:file:" + suppressionFileLocation + "!/" + packagedFileName;
} else if (suppressionFileLocation.startsWith("nested:") && suppressionFileLocation.endsWith(".jar!/")) {
// suppressionFileLocation -> nested:/app/app.jar/!BOOT-INF/lib/dependency-check-core-<version>.jar!/
// goal-> jar:nested:/app/app.jar/!BOOT-INF/lib/dependency-check-core-<version>.jar!/dependencycheck-base-suppression.xml
suppressionFileLocation = "jar:" + suppressionFileLocation + BASE_SUPPRESSION_FILE;
suppressionFileLocation = "jar:" + suppressionFileLocation + packagedFileName;
} else {
suppressionFileLocation = "file:" + suppressionFileLocation + BASE_SUPPRESSION_FILE;
suppressionFileLocation = "file:" + suppressionFileLocation + packagedFileName;
}
URL baseSuppresssionURL = null;
try {
Expand Down
5 changes: 5 additions & 0 deletions pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -187,6 +187,11 @@ Copyright (c) 2012 - Jeremy Long
<defaultGoal>clean install</defaultGoal>
<pluginManagement>
<plugins>
<plugin>
<groupId>com.googlecode.maven-download-plugin</groupId>
<artifactId>download-maven-plugin</artifactId>
<version>1.13.0</version>
</plugin>
<plugin>
<groupId>org.jsonschema2pojo</groupId>
<artifactId>jsonschema2pojo-maven-plugin</artifactId>
Expand Down