Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Owasp dependency check: check if suppressing of vulnerabilities is still reasonable #17068

Open
1 of 2 tasks
hpvd opened this issue Aug 11, 2022 · 1 comment
Open
1 of 2 tasks

[Security] Owasp dependency check: check if suppressing of vulnerabilities is still reasonable #17068

hpvd opened this issue Aug 11, 2022 · 1 comment
Labels
Stale

Comments

@hpvd
Copy link

hpvd commented Aug 11, 2022
edited
Loading

Search before asking

  • I searched in the issues and found nothing similar.

Motivation

Since #10855 we are doing dependency scans for vulnerabilities on regular basis. That is really great!

Over time, more and more vulnerabilities are suppressed.
This may

  • not be necessary anymore if it's about suppressing false positive (since number of false positive are reduced with every new version of check tool)
  • may hide some open vulnerabilities even if there is a solution available now

org.apache.pulsar:pulsar-server-distribution:2.11.0-SNAPSHOT:
Vulnerabilities Suppressed: 23

org.apache.pulsar:pulsar-offloader-distribution:2.11.0-SNAPSHOT:
Vulnerabilities Suppressed: 4

Solution

before every release:
check for each suppressed vulnerability if it's still reasonable/necessary to suppress it
otherwise we are possibly releasing with security flaws which could easily being solved

before: update check tool to latest version (which typical solves some false positive)
7.11+, the check today uses see 7.10 https://github.com/jeremylong/DependencyCheck/releases

Alternatives

Anything else?

No response

Are you willing to submit a PR?

  • I'm willing to submit a PR!
@hpvd hpvd mentioned this issue Aug 11, 2022
Merged
@sijie sijie mentioned this issue Aug 11, 2022
Open
2 tasks
@hpvd hpvd changed the title Owasp dependency check: check if suppressing of Vulnerabilities is still reasonable Owasp dependency check: check if suppressing of vulnerabilities is still reasonable Aug 11, 2022
@github-actions
Copy link

The issue had no activity for 30 days, mark with Stale label.

@github-actions github-actions bot added the Stale label Sep 11, 2022
@hpvd hpvd mentioned this issue Nov 5, 2022
Open
2 tasks
@hpvd hpvd changed the title Owasp dependency check: check if suppressing of vulnerabilities is still reasonable [security] Owasp dependency check: check if suppressing of vulnerabilities is still reasonable Oct 28, 2023
@hpvd hpvd changed the title [security] Owasp dependency check: check if suppressing of vulnerabilities is still reasonable [Security] Owasp dependency check: check if suppressing of vulnerabilities is still reasonable Oct 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@hpvd