Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add 'suppress until' config to temporarily suppress a vulnerability #1145

Closed
siladu opened this issue Mar 22, 2018 · 4 comments
Closed

Add 'suppress until' config to temporarily suppress a vulnerability #1145

siladu opened this issue Mar 22, 2018 · 4 comments
Labels
enhancement

Comments

@siladu
Copy link

siladu commented Mar 22, 2018
edited
Loading

In a situation where we know a dependency vulnerability fix is incoming, it would be nice to not have to remember to un-suppress it.

For example, CVE-2018-7489 is fixed: FasterXML/jackson-databind#1931
but awaiting release: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.5

Example

Proposed new config added to reenable warnings after specified date: <until>2018-04-01</until>

    <suppress>
        <notes><![CDATA[
   file name: jackson-databind-2.9.4.jar
   ]]></notes>
        <gav regex="true">^com\.fasterxml\.jackson\.core:jackson-databind:.*$</gav>
        <cve>CVE-2018-7489</cve>
        <until>2018-04-01</until>
    </suppress>

Similar to https://github.com/unruly/junit-rules/blob/master/README.md#ignore-tests-until-a-certain-date-or-datetime
@jeremylong
Copy link
Owner

Interesting idea - thanks for the suggestion. It may take us a while to get to this - but PRs are always welcome.

@aikebah
Copy link
Collaborator

aikebah commented Mar 25, 2018

@jeremylong I'm willing to give this a try.... I'll try to come up with a PR for this

aikebah added a commit to aikebah/DependencyCheck that referenced this issue Mar 25, 2018
@aikebah
Implemented a fix for jeremylong#1145
9e7df77
@aikebah aikebah mentioned this issue Mar 25, 2018
Merged
aikebah added a commit to aikebah/DependencyCheck that referenced this issue Apr 8, 2018
@aikebah
Implemented a fix for jeremylong#1145
29bae6e
aikebah added a commit to aikebah/DependencyCheck that referenced this issue Apr 8, 2018
@aikebah
Implemented a fix for jeremylong#1145
00f2314
jeremylong added a commit that referenced this issue Apr 8, 2018
@jeremylong
Merge pull request #1149 from aikebah/upstream-issue-1145
7adce45 
Proposed fix for issue #1145
@jeremylong
Copy link
Owner

Note - we still need to update the documentation on this feature. Regardless - Thanks for the PR!

@lock
Copy link

lock bot commented Sep 27, 2018

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked and limited conversation to collaborators Sep 27, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jeremylong @aikebah @siladu