I use the OWASP Dependency Check Maven plug-in to scan my project dependencies for reported vulnerabilities.
- I have developed three projects that I scan, lets call them App1, App2 and and internal library IntLib.
- Both App1 and App2 has a dependency on IntLib.
- IntLib in its turn has a dependency on the external library ExtLib.
- The OWASP check reports a vulnerability in ExtLib, let's call it Vul1.
- As a result, the scan of both App1 and App2 also report Vul1.
- I have a global suppression file where I like to add a rule that suppresses Vul1.
- But! The suppression rule should ONLY apply when the report results from a dependency on IntLib.
- If App1 or App2 adds a direct dependency on ExtLib then the rule should NOT apply.
Is there any way to create a rule in a OWASP Check suppression file that works in this way?
No, for this scenario you have to use different suppression files.
However I use a different approach. I have some multi-module maven-based web applications. Instead of scanning each module of each app (it would be time consuming and not necessary) I scan only the module that generates the final
war(or fatjarif you use spring-boot) because this module inherits all the dependencies of the other ones. If the check finds a CVE in one library, it is easy to understand where this library comes from: just examine the dependency tree.