[Feature Request] suppression based on confidence level #670
Comments
|
The problem with implementing this is that it would create false negatives. I understand that at times the scan results can be a little noisy; however, in my experience taking a few minutes to create a suppression file is a much better route. I'll put this on the enhancement list; but when this gets built we need to write a bug warning message in the output (and possibly report) indicating that a configuration was set that can generate false negatives. |
|
version 3.0.2 has introduced new columns in csv file format (source, GAV, CPE confidence, evidence count) but those are not populated. Additionally, Severity column value is ending up in Source column and CVSS2 column is ending up in Severity column. |
|
Sorry, this was issue on my end. Report is getting generated properly. |
|
If a project has a limited number of dependencies, creating a suppression file can indeed take mere minutes. However, if you have a larger project, the result file can be huge (64M in our case) and it takes hours or days to create a suppression file. All the low and medium confidence issues I looked at are false positives, the high confidence issues are marginally related but basically also false positives, while the highest confidence issues are worth pursuing. Filtering on confidence is a huge gain for larger projects. |
|
With issues like #2794, using filter on confidence level could be a nice workaround. |
Hello,
Currently, we can suppress findings based on CVSS score, CPE and others but not based on confidence level which in turn is based on evidence collection. This will be a good to have feature.
The text was updated successfully, but these errors were encountered: