编写排除配置以进行依赖性检查

问题描述 投票:0回答:1

我在我的 Android 项目中使用 https://github.com/dependency-check/dependency-check-gradle

我想排除这些依赖项的地方

ant-1.10.9.jar (pkg:maven/org.apache.ant/[email protected], cpe:2.3:a:apache:ant:1.10.9:*:*:*:*:*:*:*) : CVE-2021-36373, CVE-2021-36374
ant-antlr-1.10.9.jar (pkg:maven/org.apache.ant/[email protected], cpe:2.3:a:apache:ant:1.10.9:*:*:*:*:*:*:*) : CVE-2021-36373, CVE-2021-36374
ant-junit-1.10.9.jar (pkg:maven/org.apache.ant/[email protected], cpe:2.3:a:apache:ant:1.10.9:*:*:*:*:*:*:*) : CVE-2021-36373, CVE-2021-36374
ant-launcher-1.10.9.jar (pkg:maven/org.apache.ant/[email protected], cpe:2.3:a:apache:ant:1.10.9:*:*:*:*:*:*:*) : CVE-2021-36373, CVE-2021-36374
bcpkix-jdk15on-1.56.jar (pkg:maven/org.bouncycastle/[email protected], cpe:2.3:a:bouncycastle:bouncy_castle_for_java:1.56:*:*:*:*:*:*:*) : CVE-2023-33202
bcprov-jdk15on-1.56.jar (pkg:maven/org.bouncycastle/[email protected], cpe:2.3:a:bouncycastle:bouncy-castle-crypto-package:1.56:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:bouncy_castle_crypto_package:1.56:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:bouncy_castle_for_java:1.56:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.56:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.56:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:the_bouncy_castle_crypto_package_for_java:1.56:*:*:*:*:*:*:*) : CVE-2018-1000180, CVE-2024-29857, CVE-2017-13098, CVE-2020-15522, CVE-2024-30171, CVE-2020-0187, CVE-2023-33202, CVE-2020-26939, CVE-2023-33201
commons-compress-1.20.jar (pkg:maven/org.apache.commons/[email protected], cpe:2.3:a:apache:commons_compress:1.20:*:*:*:*:*:*:*) : CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090, CVE-2024-25710
commons-io-2.4.jar (pkg:maven/commons-io/[email protected], cpe:2.3:a:apache:commons_io:2.4:*:*:*:*:*:*:*) : CVE-2021-29425

为了排除 ant-1.10.9.jar 我尝试了以下配置

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
    <suppress>
        <notes><![CDATA[
        This suppresses a specific cve for any test.jar in any directory.
        ]]></notes>
        <packageUrl regex="false">^pkg:maven/org\.apache\.ant/[email protected]</packageUrl>
        <vulnerabilityName>CVE-2021-36373, CVE-2021-36374</vulnerabilityName>
    </suppress>
    <suppress>
        <notes><![CDATA[
        This suppresses any jboss:jboss cpe for any test.jar in any directory.
        ]]></notes>
        <filePath regex="true">ant-1.10.9.jar</filePath>
        <cpe>cpe:/2.3:a:apache:ant:1.10.9:*:*:*:*:*:*:*</cpe>
    </suppress>
</suppressions>

在上面的配置中,我尝试了相同依赖关系的两个规则,以验证哪个规则可以工作。但两者都不起作用,我在 gradle 中得到以下输出

Suppression Rule had zero matches: SuppressionRule{packageUrl=PropertyType{value=^pkg:maven/org\.apache\.ant/[email protected], regex=false, caseSensitive=false},vulnerabilityName={PropertyType{value=CVE-2021-36373, CVE-2021-36374, regex=false, caseSensitive=false},}}
Suppression Rule had zero matches: SuppressionRule{filePath=PropertyType{value=ant-1.10.9.jar, regex=false, caseSensitive=false},cpe={PropertyType{value=cpe:/2.3:a:apache:ant, regex=false, caseSensitive=false},}}

请帮助配置

android owasp suppression owasp-dependency-check owasp-dependency-track
1个回答
0
投票

如果您使用 html 报告,该报告通常会出现在 

/build/reports/dependency-check-report.html

然后向下滚动此报告。您将看到一些类似于下面屏幕截图的信息

然后点击抑制。您将看到您正在寻找的代码。请参阅下面的屏幕截图,当我按下 suppress

时会看到该屏幕截图

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.