Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Add a flag to fail when one or more suppression rules are not used #7244

Open
wants to merge 15 commits into
base: main
Choose a base branch
from
Open

feat: Add a flag to fail when one or more suppression rules are not used #7244

wants to merge 15 commits into from

Conversation

ftiercelin
Copy link
Contributor

Fixes Issue

#7165

Description of Change

add a flag, failBuildOnUnusedSuppressionRule, which will cause the build to fail if there are unused suppression rules.

Have test cases been added to cover the new functionality?

yes, a new test class was created: org.owasp.dependencycheck.analyzer.UnusedSuppressionRuleAnalyzerTest

@boring-cyborg boring-cyborg bot added ant changes to ant core changes to core documentation site documentation maven changes to the maven plugin tests test cases utils changes to utils labels Dec 12, 2024
@ftiercelin ftiercelin changed the title Add a flag to fail when one or more suppression rules are not used feat: Add a flag to fail when one or more suppression rules are not used Dec 12, 2024
@ftiercelin
Copy link
Contributor Author

ftiercelin commented Dec 13, 2024
edited
Loading

to demonstrate the functionality:
using this pom.xml

<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" 
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <groupId>test</groupId>
  <artifactId>DemoProject</artifactId>
  <version>0.0.1-SNAPSHOT</version>
  <name>DemoProject</name>
  <description>DemoProject</description>

  <dependencies>
     <dependency>
        <groupId>org.json</groupId>
        <artifactId>json</artifactId>
        <version>... version ...</version>
     </dependency>
     <dependency>
        <groupId>org.apache.commons</groupId>
        <artifactId>commons-lang3</artifactId>
        <version>3.14.0</version>
     </dependency>
  </dependencies>

  <build>
        <plugins>
              <plugin>
                 <groupId>org.owasp</groupId>
                 <artifactId>dependency-check-maven</artifactId>
                 <version>11.1.2-SNAPSHOT</version>
                 <configuration>
                    <failBuildOnUnusedSuppressionRule> ... flag ...</failBuildOnUnusedSuppressionRule>
                    <skipProvidedScope>true</skipProvidedScope>
                    <skipTestScope>true</skipTestScope>
                    <failOnError>true</failOnError>
                    <suppressionFile>src/owasp.suppression.xml</suppressionFile>
                    <nvdApiKey> ... api key ...</nvdApiKey>
                    <autoUpdate>false</autoUpdate>
                 </configuration>
                 <executions>
                    <execution>
                       <goals>
                          <goal>check</goal>
                       </goals>
                    </execution>
                 </executions>
              </plugin>
        </plugins>
  </build>
</project>

and this suppression file listing a CVE for org.json version 20230618:

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress>
   <notes><![CDATA[
   file name: json-20230618.jar
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.json/json@.*$</packageUrl>
   <vulnerabilityName>CVE-2023-5072</vulnerabilityName>
</suppress>
</suppressions>

Setting the version of the JSON library and the value of the flag, running each time mvn dependency-check:check

flag = true flag =false no failBuildOnUnusedSuppressionRule configuration item
json version=20230618 build succeeds without any message about unused rules build succeeds without any message about unused rules build succeeds without any message about unused rules
json version=20240303 build displays a message about unused rule and fails with exception "There are 1 unused suppression rule(s): check logs." succeeds, with a message about an unused rule succeeds, with a message about an unused rule
no json dependency build displays a message about unused rule and fails with exception "There are 1 unused suppression rule(s): check logs." succeeds, with a message about an unused rule succeeds, with a message about an unused rule

without the suppressionFile configuration item but with failBuildOnCVSS set to 0 (fail for any vulnerability):

flag = true flag =false no failBuildOnUnusedSuppressionRule configuration item
json version=20230618 fails because of vuln found fails because of vuln found fails because of vuln found
json version=20240303 succeeds succeeds succeeds
no json dependency succeeds succeeds succeeds

@chadlwilson
Copy link
Contributor

Thank you for the work here! Haven't looked at the detail - but this would be great/useful! :-)

jeremylong
jeremylong requested changes Dec 16, 2024
View reviewed changes
Copy link
Owner

@jeremylong jeremylong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please add this to the CLI as well, so that if there are unused suppression rules it will return a positive, non-zero error code?

ant/src/site/markdown/configuration.md
enableRetired | Enable the [retired analyzers](../analyzers/index.html). If not enabled the retired analyzers (see below) will not be loaded or used. | false
suppressionFile | The file path to the XML suppression file \- used to suppress [false positives](../general/suppression.html). The parameter value can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/jeremylong/DependencyCheck/issues/1878#issuecomment-487533799) | &nbsp;
junitFailOnCVSS | If using the JUNIT report format the junitFailOnCVSS sets the CVSS score threshold that is considered a failure. | 0
failBuildOnUnusedSuppressionRule | Specifies that if any unused suppression rule is found, the build will fail. | false
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You added this to the configuration documentation, yet you did not update the actual task to be able to use this configuration. Please add failBuildOnUnusedSuppressionRule to the org.owasp.dependencycheck.taskdefs.Check task.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @jeremylong for catching this: I have updated the Check class.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jeremylong jeremylong Awaiting requested review from jeremylong

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
ant changes to ant core changes to core documentation site documentation maven changes to the maven plugin tests test cases utils changes to utils
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ftiercelin @chadlwilson @jeremylong