Dependency-Track is forgetting suppressions on vulnerabilities
I included dependency track in my build-pipeline with:
mvn cyclonedx:makeAggregateBom dependency-track:upload-bom
My maven project is configured like this:
<plugin>
<groupId>io.github.pmckeown</groupId>
<artifactId>dependency-track-maven-plugin</artifactId>
<version>1.5.0</version>
<configuration>
<dependencyTrackBaseUrl>https://dependency-track.<my-company.com></dependencyTrackBaseUrl>
<apiKey>${env.DEPENDENCY_TRACK_API_KEY}</apiKey>
<failOnError>true</failOnError>
<pollingConfig>
<pause>2</pause>
<attempts>30</attempts>
</pollingConfig>
</configuration>
</plugin>
This all works fine and I get the analysis results in dependency-track.
Now I suppress some found vulnerabilities in dependency-track, because they do not affect my project.
Some time later (I think not immediately) dependency-track seems to forget some of the suppressions and shows the vulnerabilities again.
This in particular happens with the spring-security-web:5.7.8 dependency:
Is there something wrong with how I call dependency-track? Or is it more likely misconfigured?
I had a similar problem. I use the same tool as you (cdxgen) to generate the SBOM and then pass this SBOM to Dependency Track. In my case, all these steps are jobs in a pipeline which is run frequently. I tried to troubleshoot the issue and this was the scenario that lead to it:
- Pipeline #01: All jobs succeed.
- Pipeline #02: A new vulnerable dependency is introduced, so the pipeline fails. I go to DT (Dependency Track) and supress the vulnerability.
- Pipeline #03: All jobs succeed.
- Pipeline #04: Same vulnerability as in #02. After researching, I saw that the cdxgen in #03 was generating an empty SBOM (due a execution fallback) and, obviously, DT had nothing to report, so the pipeline was green. My assumption is that this fact induces DT to forget the supressed vulnerabilities, as the SBOM is empty and there are no dependencies. In the next run (#04), the SBOM is properly generated and DT has lost the supression, that is why it keeps appearing.
I opened this issue and looks like it is fixed now, just upgrade to the latest version.
- What is "X-Content-Type-Options=nosniff"?
- HTML-Entity escaping to prevent XSS
- ModSecurity WAF log configuration
- Why is it common to put CSRF prevention tokens in cookies?
- Hello, how to solve Permission denied Error while trying to generate OWASP ZAP report using Full Scan Docker image
- Writing exclude configs for dependancy check
- Hydra with OWASP juice-shop
- Zap proxy converts Http requests to Https
- How to run security check on Angular project or how to run OWASP dependency check for Angular Project
- What are the differences between API IO and Web App IO? (OWASP's top 10s)
- Postman unable sending to OWASP ZAP with the same proxy configuration
- How to create "unsafe" environment for JavaScript XSS testing
- Bicep code to deploy WAF policy for Azure Application gateway
- How can i integrate OWASP ZAP with Cypress to run both together and get the Zap test Result and Owasp Zap result at the same time?
- OWASP ZAP Scan tool doesn't support requests in XML format
- Allowing "//" in URL.Any Security Standards for URL Definition?
- How to login and scan with OWASP Zap
- Options for token storage and refresh in SPAs
- ZAP baseline scan doesn't generate report
- iOS certificate pinning with Swift and NSURLSession
- OWASP ZAP baseline scan returns unexpected error 1 in CI/CD pipeline
- How to force specific version of a transitive dependency (netty-codec-http) in gradle?
- Cross-Site Request Forgery Prevention: using a cookie for the Synchronizer Token Pattern
- OWASP sanitizer generates unexpected results
- OWASP Dependency check, how to use suppressions
- OWASP/ZAP dangling when trying to scan
- Dependency-Track is forgetting suppressions on vulnerabilities
- How to run OWASP Dependency Check for an Angular project?
- OWASP Dependency Tracker - Jenkins build error
- Selenium script execution scanning by OWASP ZAP docker