I am trying to use owasp dependency check in gitlab-ci job using latest owasp docker image. Dependency check works well, but when I tried to add suppress xml file, it doesn't work - it doesn't suppress any vulnerability.
Here is how I am using the dependency check:
.owasp_scanning: &owasp_scanning
stage: security-scanning
image:
name: owasp/dependency-check:latest
entrypoint: [""]
needs: []
allow_failure: true
before_script:
- |
if [ -e "$CI_PROJECT_DIR/suppressions.xml" ]; then
echo "Suppression file found: $CI_PROJECT_DIR/suppressions.xml"
cat "$CI_PROJECT_DIR/suppressions.xml"
else
echo "Suppression file not found: $CI_PROJECT_DIR/suppressions.xml"
fi
script:
# prints owasp dependency check version
- /usr/share/dependency-check/bin/dependency-check.sh --version
# prints full report and create artifact
- /usr/share/dependency-check/bin/dependency-check.sh --scan "$CI_PROJECT_DIR" \
-f HTML -o "$CI_PROJECT_DIR/dependency-check-report.html" \
--project "$CI_PROJECT_NAME" --failOnCVSS 0 \
--suppression "$CI_PROJECT_DIR/suppressions.xml"
In before_script part I can see that the file is on the located right and it containes expected code. Here is suppressions.xml, which is created from "suppress" button in dependency check report:
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress>
<notes><![CDATA[
file name: standing_order_kucmin.jar: guava-28.1-jre.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
<cpe>cpe:/a:google:guava</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: standing_order_kucmin.jar: commons-io-2.5.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/commons\-io/commons\-io@.*$</packageUrl>
<cve>CVE-2021-29425</cve>
</suppress>
</suppressions>
Can someone see something I am doing wrong? Thanks in advance