chore: add suppressions for owasp dependency check (#4409)

add initial set that were previously reported / false positives re: moderneinc/dependency-vulnerability-reports#709
openrewrite · Aug 13, 2024 · 0cb71db · 0cb71db
1 parent 10cf25d
commit 0cb71db
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 0 deletions.
diff --git a/build.gradle.kts b/build.gradle.kts
@@ -1,6 +1,17 @@
 plugins {
     id("org.openrewrite.build.root") version("latest.release")
     id("org.openrewrite.build.java-base") version("latest.release")
+    id("org.owasp.dependencycheck") version("latest.release")
+}
+
+configure<org.owasp.dependencycheck.gradle.extension.DependencyCheckExtension> {
+    analyzers.assemblyEnabled = false
+    analyzers.nodeAuditEnabled = false
+    analyzers.nodeEnabled = false
+    failBuildOnCVSS = System.getenv("FAIL_BUILD_ON_CVSS")?.toFloatOrNull() ?: 9.0F
+    format = System.getenv("DEPENDENCY_CHECK_FORMAT") ?: "HTML"
+    nvd.apiKey = System.getenv("NVD_API_KEY")
+    suppressionFile = "suppressions.xml"
 }
 
 repositories {

diff --git a/suppressions.xml b/suppressions.xml
@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+    <suppress until="2024-09-12">
+        <notes><![CDATA[
+        file name: okio-jvm-2.8.0.jar
+        sev: HIGH
+        reason: pinned while awaiting 5.x release
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.squareup\.okio/okio@.*$</packageUrl>
+        <cve>CVE-2023-3635</cve>
+    </suppress>
+    <suppress until="2024-09-12">
+        <notes><![CDATA[
+        file name: develocity-gradle-plugin-3.17.6.jar: junit-platform-engine-1.10.3.jar
+        sev: CRITICAL
+        reason: not applicable to the project
+        ]]></notes>
+        <cve>CVE-2023-45161</cve>
+        <cve>CVE-2023-45163</cve>
+        <cve>CVE-2023-5964</cve>
+    </suppress>
+    <suppress until="2024-09-12">
+        <notes><![CDATA[
+        file name: gradle-enterprise-gradle-plugin-3.17.6.jar
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.gradle/gradle-enterprise-gradle-plugin@.*$</packageUrl>
+        <cve>CVE-2019-11402</cve>
+        <cve>CVE-2019-11403</cve>
+        <cve>CVE-2021-41589</cve>
+        <cve>CVE-2023-49238</cve>
+        <cve>CVE-2022-25364</cve>
+        <cve>CVE-2020-15773</cve>
+        <cve>CVE-2020-15767</cve>
+    </suppress>
+</suppressions>