我在我的 Android 项目中使用 https://github.com/dependency-check/dependency-check-gradle。
我想排除这些依赖项的地方
ant-1.10.9.jar (pkg:maven/org.apache.ant/[email protected], cpe:2.3:a:apache:ant:1.10.9:*:*:*:*:*:*:*) : CVE-2021-36373, CVE-2021-36374
ant-antlr-1.10.9.jar (pkg:maven/org.apache.ant/[email protected], cpe:2.3:a:apache:ant:1.10.9:*:*:*:*:*:*:*) : CVE-2021-36373, CVE-2021-36374
ant-junit-1.10.9.jar (pkg:maven/org.apache.ant/[email protected], cpe:2.3:a:apache:ant:1.10.9:*:*:*:*:*:*:*) : CVE-2021-36373, CVE-2021-36374
ant-launcher-1.10.9.jar (pkg:maven/org.apache.ant/[email protected], cpe:2.3:a:apache:ant:1.10.9:*:*:*:*:*:*:*) : CVE-2021-36373, CVE-2021-36374
bcpkix-jdk15on-1.56.jar (pkg:maven/org.bouncycastle/[email protected], cpe:2.3:a:bouncycastle:bouncy_castle_for_java:1.56:*:*:*:*:*:*:*) : CVE-2023-33202
bcprov-jdk15on-1.56.jar (pkg:maven/org.bouncycastle/[email protected], cpe:2.3:a:bouncycastle:bouncy-castle-crypto-package:1.56:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:bouncy_castle_crypto_package:1.56:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:bouncy_castle_for_java:1.56:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.56:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.56:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:the_bouncy_castle_crypto_package_for_java:1.56:*:*:*:*:*:*:*) : CVE-2018-1000180, CVE-2024-29857, CVE-2017-13098, CVE-2020-15522, CVE-2024-30171, CVE-2020-0187, CVE-2023-33202, CVE-2020-26939, CVE-2023-33201
commons-compress-1.20.jar (pkg:maven/org.apache.commons/[email protected], cpe:2.3:a:apache:commons_compress:1.20:*:*:*:*:*:*:*) : CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090, CVE-2024-25710
commons-io-2.4.jar (pkg:maven/commons-io/[email protected], cpe:2.3:a:apache:commons_io:2.4:*:*:*:*:*:*:*) : CVE-2021-29425
为了排除 ant-1.10.9.jar 我尝试了以下配置
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress>
<notes><![CDATA[
This suppresses a specific cve for any test.jar in any directory.
]]></notes>
<packageUrl regex="false">^pkg:maven/org\.apache\.ant/[email protected]</packageUrl>
<vulnerabilityName>CVE-2021-36373, CVE-2021-36374</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
This suppresses any jboss:jboss cpe for any test.jar in any directory.
]]></notes>
<filePath regex="true">ant-1.10.9.jar</filePath>
<cpe>cpe:/2.3:a:apache:ant:1.10.9:*:*:*:*:*:*:*</cpe>
</suppress>
</suppressions>
在上面的配置中,我尝试了相同依赖关系的两个规则,以验证哪个规则可以工作。但两者都不起作用,我在 gradle 中得到以下输出
Suppression Rule had zero matches: SuppressionRule{packageUrl=PropertyType{value=^pkg:maven/org\.apache\.ant/[email protected], regex=false, caseSensitive=false},vulnerabilityName={PropertyType{value=CVE-2021-36373, CVE-2021-36374, regex=false, caseSensitive=false},}}
Suppression Rule had zero matches: SuppressionRule{filePath=PropertyType{value=ant-1.10.9.jar, regex=false, caseSensitive=false},cpe={PropertyType{value=cpe:/2.3:a:apache:ant, regex=false, caseSensitive=false},}}
请帮助配置