在某些依赖项中抑制 JAR 的 OWASP 发现
Suppress OWASP findings for JAR in certain dependency
dependency-check-maven 插件正确列出了以下问题:
swagger-codegen-generators-1.0.19.jar: gradle-wrapper.jar: CVE-2016-6199, CVE-2019-16370, CVE-2019-11065, CVE-2019-15052
无论如何,我想在 gradle-wrapper.jar swagger-codegen-generators-1.0.19.jar.
内抑制 CVE
到目前为止我尝试过的:
<!-- works, but does not restrict to swagger-codegen-generators dependency -->
<suppress>
<filePath regex="true">.*\bgradle-wrapper\.jar</filePath>
<cve>CVE-2016-6199</cve>
<cve>CVE-2019-11065</cve>
<cve>CVE-2019-15052</cve>
<cve>CVE-2019-16370</cve>
</suppress>
<!-- does not match, due to other ignored CVEs the gav seems to be correct -->
<suppress>
<gav regex="true">^io\.swagger\.codegen\.v3:swagger-codegen-generators:.*$</gav>
<cve>CVE-2016-6199</cve>
<cve>CVE-2019-11065</cve>
<cve>CVE-2019-15052</cve>
<cve>CVE-2019-16370</cve>
</suppress>
<!-- generated from the report; works, but does not restrict to swagger-codegen-generators dependency (sha1 of gradle-wrapper.jar) -->
<suppress>
<notes><![CDATA[
file name: swagger-codegen-generators-1.0.19.jar: gradle-wrapper.jar
]]></notes>
<sha1>0f6f1fa2b59ae770ca14f975726bed8d6620ed9b</sha1>
<cve>CVE-2016-6199</cve>
<cve>CVE-2019-11065</cve>
<cve>CVE-2019-15052</cve>
<cve>CVE-2019-16370</cve>
</suppress>
我能够通过从报告文件 target/dependency-check-report.html 获得的文件路径描述它。
<suppress>
<filePath regex="true">.*\bswagger-codegen-generators.*\bgradle-wrapper\.jar</filePath>
<cve>CVE-2016-6199</cve>
<cve>CVE-2019-11065</cve>
<cve>CVE-2019-15052</cve>
<cve>CVE-2019-16370</cve>
</suppress>
dependency-check-maven 插件正确列出了以下问题:
swagger-codegen-generators-1.0.19.jar: gradle-wrapper.jar: CVE-2016-6199, CVE-2019-16370, CVE-2019-11065, CVE-2019-15052
无论如何,我想在 gradle-wrapper.jar swagger-codegen-generators-1.0.19.jar.
到目前为止我尝试过的:
<!-- works, but does not restrict to swagger-codegen-generators dependency -->
<suppress>
<filePath regex="true">.*\bgradle-wrapper\.jar</filePath>
<cve>CVE-2016-6199</cve>
<cve>CVE-2019-11065</cve>
<cve>CVE-2019-15052</cve>
<cve>CVE-2019-16370</cve>
</suppress>
<!-- does not match, due to other ignored CVEs the gav seems to be correct -->
<suppress>
<gav regex="true">^io\.swagger\.codegen\.v3:swagger-codegen-generators:.*$</gav>
<cve>CVE-2016-6199</cve>
<cve>CVE-2019-11065</cve>
<cve>CVE-2019-15052</cve>
<cve>CVE-2019-16370</cve>
</suppress>
<!-- generated from the report; works, but does not restrict to swagger-codegen-generators dependency (sha1 of gradle-wrapper.jar) -->
<suppress>
<notes><![CDATA[
file name: swagger-codegen-generators-1.0.19.jar: gradle-wrapper.jar
]]></notes>
<sha1>0f6f1fa2b59ae770ca14f975726bed8d6620ed9b</sha1>
<cve>CVE-2016-6199</cve>
<cve>CVE-2019-11065</cve>
<cve>CVE-2019-15052</cve>
<cve>CVE-2019-16370</cve>
</suppress>
我能够通过从报告文件 target/dependency-check-report.html 获得的文件路径描述它。
<suppress>
<filePath regex="true">.*\bswagger-codegen-generators.*\bgradle-wrapper\.jar</filePath>
<cve>CVE-2016-6199</cve>
<cve>CVE-2019-11065</cve>
<cve>CVE-2019-15052</cve>
<cve>CVE-2019-16370</cve>
</suppress>