You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There are a few vulnerability items listed that are actually no longer valid as they have been withdrawn or rejected. Yet if a project has a new version and the BOM is processed and although we've already marked the CVE as a False Positive and set it for suppression in a previous version DependencyTrack marks the new version as vulnerable again.
Proposed Behavior
Provide the ability in the Vulnerabilities listings the chance to mark a vulnerability as suppressed so that it no longer used during BOM processing. This way it saves the auditor time as there are less false positives that have already been dealt with appearing in the audit list when a new version is created.
I think a global suppression in the vulnerability list is useful. But it is useful regardless of the state of the vulnerability. There are cases where a global suppression makes sense, even for valid/active vulnerabilities. Not sure if there's a feature request for that already somewhere?
More specific to rejected/withdrawn vulnerabilities it might be better to add logic to DT to reflect the status of updated vulnerabilities in DT so rejections and withdrawals are handled correctly. Or at least not generating new vulnerabilities during SBOM processing.
I did a search but nothing came up for me. Of course it could be that my search input wasn't all that good.
When I was writing this up I did give a thought that it could be used to suppress any issue. I just wasn't sure how useful that would be in general, but the ability to reduce the false positives by suppressing them completely would be a nice thing.
Current Behavior
There are a few vulnerability items listed that are actually no longer valid as they have been withdrawn or rejected. Yet if a project has a new version and the BOM is processed and although we've already marked the CVE as a False Positive and set it for suppression in a previous version DependencyTrack marks the new version as vulnerable again.
Proposed Behavior
Provide the ability in the Vulnerabilities listings the chance to mark a vulnerability as suppressed so that it no longer used during BOM processing. This way it saves the auditor time as there are less false positives that have already been dealt with appearing in the audit list when a new version is created.
Checklist
The text was updated successfully, but these errors were encountered: