Why are certain dependencies on my dependency report not suppresssing?

Question

I am generating a dependency report using Dependency-Check within Eclipse Version 2022-06(4.24.0). It is a maven project.

I created a suppression.xml file in same directory as the pom.xml file. I then modified the pom.xml file to include the suppression.xml file (see below).

            <configuration>
                <format>XML</format>
                <suppressionFiles>
                    <suppressionFile>suppression.xml</suppressionFile>
                </suppressionFiles>
            </configuration>

Then I copied and pasted all the suppression snippets from the Dependency Check report by clicking on each suppress button next to the CVE's. Here is a sample below:

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency 
suppression.1.3.xsd">   
<suppress>
  <notes><![CDATA[
  file name: logback-classic-1.2.3.jar
  ]]></notes>
  <packageUrl regex="true">^pkg:maven/ch\.qos\.logback/logback\-classic@.*$</packageUrl>
  <cpe>cpe:/a:qos:logback</cpe>
   </suppress>
</suppressions>

I was able to suppress 93 dependencies this way. However, as you can see below. Not all of the dependencies are being suppressed despite me having entered every single one them into my suppression file. There are still 11 vulnerabilities found and 3 vulnerable dependencies. My intention is to have 0 vulnerable dependencies and 0 vulnerabilities found.

Does anyone know why these 3 particular dependencies remain on the Dependency Check report despite their suppression snippets appearing in the suppression.xml file in my project? I've tried searching for an answer online but have not found any solutions that work. This is my last resort.

Thanks!

Answer 1

Maybe the vulnerabilities don't match with <cpe>cpe:/a:qos:logback</cpe>? Try to suppress the single CVEs.

But, as @khmarbaise suggested, try to get rid of them. Update dependencies or replace them. They carry potential risks!

---

I do it this way:

<suppress until="2022-12-31Z">
    <notes><![CDATA[
        file name: snakeyaml-1.30.jar
        CVE-2022-25857: Suppressed until a solution is found.
        CVE-2022-38749: Because I'm lazy.
        CVE-2022-38751: Not affected because of reasons.
        CVE-2022-38750: Life to the limit.
    ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
    <cve>CVE-2022-25857</cve>
    <cve>CVE-2022-38749</cve>
    <cve>CVE-2022-38751</cve>
    <cve>CVE-2022-38750</cve>
</suppress>

This gives me the advantage that the vulnerabilities are only suppressed to a certain date and after that are checked again. So I don't forget to check them every now and then.

I also have a small note why i suppressed a vulnerability. Sometimes you are just not affected and you can suppress it forever, sometimes you have no idea what to do. At least you don't forget why you suppressed it.

---

OWASP Dependency-Check manual: Suppressing False Positives