androidowaspsuppressionowasp-dependency-checkowasp-dependency-track
Writing exclude configs for dependancy check
I am using https://github.com/dependency-check/dependency-check-gradle in my Android project.
Where I want to exclude these dependencies
ant-1.10.9.jar (pkg:maven/org.apache.ant/[email protected], cpe:2.3:a:apache:ant:1.10.9:*:*:*:*:*:*:*) : CVE-2021-36373, CVE-2021-36374
ant-antlr-1.10.9.jar (pkg:maven/org.apache.ant/[email protected], cpe:2.3:a:apache:ant:1.10.9:*:*:*:*:*:*:*) : CVE-2021-36373, CVE-2021-36374
ant-junit-1.10.9.jar (pkg:maven/org.apache.ant/[email protected], cpe:2.3:a:apache:ant:1.10.9:*:*:*:*:*:*:*) : CVE-2021-36373, CVE-2021-36374
ant-launcher-1.10.9.jar (pkg:maven/org.apache.ant/[email protected], cpe:2.3:a:apache:ant:1.10.9:*:*:*:*:*:*:*) : CVE-2021-36373, CVE-2021-36374
bcpkix-jdk15on-1.56.jar (pkg:maven/org.bouncycastle/[email protected], cpe:2.3:a:bouncycastle:bouncy_castle_for_java:1.56:*:*:*:*:*:*:*) : CVE-2023-33202
bcprov-jdk15on-1.56.jar (pkg:maven/org.bouncycastle/[email protected], cpe:2.3:a:bouncycastle:bouncy-castle-crypto-package:1.56:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:bouncy_castle_crypto_package:1.56:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:bouncy_castle_for_java:1.56:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.56:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.56:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:the_bouncy_castle_crypto_package_for_java:1.56:*:*:*:*:*:*:*) : CVE-2018-1000180, CVE-2024-29857, CVE-2017-13098, CVE-2020-15522, CVE-2024-30171, CVE-2020-0187, CVE-2023-33202, CVE-2020-26939, CVE-2023-33201
commons-compress-1.20.jar (pkg:maven/org.apache.commons/[email protected], cpe:2.3:a:apache:commons_compress:1.20:*:*:*:*:*:*:*) : CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090, CVE-2024-25710
commons-io-2.4.jar (pkg:maven/commons-io/[email protected], cpe:2.3:a:apache:commons_io:2.4:*:*:*:*:*:*:*) : CVE-2021-29425
For excluding ant-1.10.9.jar I tried following config
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress>
<notes><![CDATA[
This suppresses a specific cve for any test.jar in any directory.
]]></notes>
<packageUrl regex="false">^pkg:maven/org\.apache\.ant/[email protected]</packageUrl>
<vulnerabilityName>CVE-2021-36373, CVE-2021-36374</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
This suppresses any jboss:jboss cpe for any test.jar in any directory.
]]></notes>
<filePath regex="true">ant-1.10.9.jar</filePath>
<cpe>cpe:/2.3:a:apache:ant:1.10.9:*:*:*:*:*:*:*</cpe>
</suppress>
</suppressions>
In above config, I tried both rules for same dependancy to verify which rule can work. But both are not working and I get following output in gradle
Suppression Rule had zero matches: SuppressionRule{packageUrl=PropertyType{value=^pkg:maven/org\.apache\.ant/[email protected], regex=false, caseSensitive=false},vulnerabilityName={PropertyType{value=CVE-2021-36373, CVE-2021-36374, regex=false, caseSensitive=false},}}
Suppression Rule had zero matches: SuppressionRule{filePath=PropertyType{value=ant-1.10.9.jar, regex=false, caseSensitive=false},cpe={PropertyType{value=cpe:/2.3:a:apache:ant, regex=false, caseSensitive=false},}}
Kindly help into configurations
Solution
If you html report, that use to be presents at /build/reports/dependency-check-report.html.
Then scroll down on this report. You will see some info similar to below screenshots
Then tap on suppress. You will see the code that you are looking for. See the screenshot below, that I see when I press on suppress
- Your app currently targets API level 30 and must target at least API level 31 to ensure it is built on the latest APIs
- How can I reduce the size of a library folder?
- Stream Audio from Client to Server to Multiple Clients Java
- Talkback does not specify index out of list count in RecyclerView
- Panorama 360 viewer with phonegap
- opening an external "file explorer" app: how to get absolute path from a uri pointing to a folder
- Which ParseException may be thrown on signup/login attempt
- What I should add as a key to LaunchedEffect to be changeable?
- Variable not updated in a Coroutine
- How To Stop Git-Bash command on windows
- Getting Error while Dexing. after upgrading flutter to 3.19.0
- Can't find the option to change privacy policy for Android app already on play store
- Button not responding to Click Event after Translation animation
- Using libcurl in C++ Android application using CMake
- Why compose adds extra text to Accessibility?
- packages have newer versions incompatible with dependency constraints
- How can I scroll to the beginning of a paged list after the start of the list is no longer presented
- why flutter_fortune_wheel always run instantly after page open?
- How to create Viewpager Transformation in Jetpack Compose?
- Remove underline from TextInputEditText
- String replace isn't working for some cyrillic characters
- How to create push notification with long text and picture in one style
- Android ListPopupWindow's method isShowing() does not work
- How to remove top and bottom padding exo player in android jetpack compose?
- flutter doctor --android-licenses does not work
- Eliminating Blinking Effect in Rotational Animation of List Elements
- Flutter Firebase and Android issue - unable to initialise. Cannot find google-services.json with latest (sept 2020) migration instructions executed
- Magento REST API for Android Application
- input type=number not possible to insert negative numbers on mobile phone
- Why doen't Compose trigger a recomposition on State update?