Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Global Suppression for Withdrawn or Rejected CVEs/Vulnerabilities #3641

Open
2 tasks done
jreed-cartago opened this issue Apr 24, 2024 · 5 comments
Open
2 tasks done

Global Suppression for Withdrawn or Rejected CVEs/Vulnerabilities #3641

jreed-cartago opened this issue Apr 24, 2024 · 5 comments
Labels
enhancement New feature or request

Comments

@jreed-cartago
Copy link

Current Behavior

There are a few vulnerability items listed that are actually no longer valid as they have been withdrawn or rejected. Yet if a project has a new version and the BOM is processed and although we've already marked the CVE as a False Positive and set it for suppression in a previous version DependencyTrack marks the new version as vulnerable again.

Proposed Behavior

Provide the ability in the Vulnerabilities listings the chance to mark a vulnerability as suppressed so that it no longer used during BOM processing. This way it saves the auditor time as there are less false positives that have already been dealt with appearing in the audit list when a new version is created.

Checklist
@jreed-cartago jreed-cartago added the enhancement New feature or request label Apr 24, 2024
@valentijnscholten
Copy link
Contributor

I think a global suppression in the vulnerability list is useful. But it is useful regardless of the state of the vulnerability. There are cases where a global suppression makes sense, even for valid/active vulnerabilities. Not sure if there's a feature request for that already somewhere?
More specific to rejected/withdrawn vulnerabilities it might be better to add logic to DT to reflect the status of updated vulnerabilities in DT so rejections and withdrawals are handled correctly. Or at least not generating new vulnerabilities during SBOM processing.

@jreed-cartago
Copy link
Author

I did a search but nothing came up for me. Of course it could be that my search input wasn't all that good.

When I was writing this up I did give a thought that it could be used to suppress any issue. I just wasn't sure how useful that would be in general, but the ability to reduce the false positives by suppressing them completely would be a nice thing.

@evyaroshevich
Copy link

PR +1

@SaberStrat
Copy link

Sounds like this one #1495

@benni-as
Copy link

👍 , I want to support this ticket. We are monitoring a lot of rails applications and there are two false CVEs in the NVD (CVE-2017-17916 and CVE-2017-17917), which has to be suppressed after every component update. As we have a have a vulnerabilty monitoring in place, these false positves are quite annoying and lead to alert fatique.

Right now, I think of switching the analyzer from internal to trivy (which is not listing the CVEs). But that would increase the complexity of my setup and this would solve only this particular issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@valentijnscholten @SaberStrat @evyaroshevich @jreed-cartago @benni-as