[FP]: use a negative rule for cpe:2.3:a:grpc:grpc:*:*:*:*:*:*:*:* suppression matching for Maven artifacts

[FyiurAmron]

Package URl

pkg:maven/(?!io.grpc/).*

CPE

cpe:2.3:a:grpc:grpc::::::::

CVE

multiple

ODC Integration

{"label"=>"Gradle Plugin"}

ODC Version

11.1.1

Description

I propose using a negative regex in a suppression rule for gRPC. We already had numerous FPs for this one, because having grpc in a package name is relatively common in the wild. OTOH, the CPEs using grpc in the co-ord are limited to io.grpc group in Maven ecosystem. The benefit of switching would be twofold:

1. no need to manually add suppressions for those cases in the future,
2. possibility of removing existing redundant suppression rules for it

Example rule:

    <suppress base="true">
        <notes><![CDATA[
        Match only actual `io.grpc` Maven packages to this CPE
        ]]></notes>
        <packageUrl regex="true">^pkg:maven\/(?!io.grpc\/).*$</packageUrl>
        <cpe>cpe:/a:grpc:grpc</cpe>
    </suppress>

We do have a precedent of having this kind of rules in the base suppression file, so I think changing this would be reasonable.

[github-actions]

Error parsing package url: pkg:maven/(?!io.grpc/).*.

Error: Error: Invalid purl: maven requires a "namespace" component

Please correct the package URL - consider copying the package url from the HTML report.

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/12322881944

[github-actions]

Error parsing package url: pkg:maven/(?!io.grpc/).*.

Error: Error: Invalid purl: maven requires a "namespace" component

Please correct the package URL - consider copying the package url from the HTML report.

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/12322890605

[github-actions]

Error parsing package url: pkg:maven/(?!io.grpc/).*.

Error: Error: Invalid purl: maven requires a "namespace" component

Please correct the package URL - consider copying the package url from the HTML report.

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/12322911311

[FyiurAmron]

I'm more than willing to do the PR here etc. if that's of any use.

[aikebah]

@FyiurAmron Thanks for the suggestion.

Negative rule suppression has been prepared in the source for the hostedSuppressions, keeping ticket open until a workflow has run that publishes it.

[aikebah]

Suppression now also published in the hostedSuppressions