Dependencycheck: Suppressing False Positive with <packageUrl> issue

Created on 21 Aug 2019  路  1Comment  路  Source: jeremylong/DependencyCheck

Describe the bug
After a dep-check scan on one of my projects, there was a vulnerability that appeared on the report. It was a false positive which then needs to be suppressed with a suppression rule that is discovered alongside the identifiers in the report:

<suppress> <notes><![CDATA[ file name: spring-ws-security-3.0.7.RELEASE.jar ]]></notes> <packageUrl regex="true">^pkg:maven/org\.springframework\.ws/spring\-ws\-security@.*$</packageUrl> <cpe>cpe:/a:pivotal_software:spring_security</cpe> </suppress>

When I ran the dep-check scan again with the suppression rule above, it failed due to the fact that "Element packageUrl is not allowed here". Does anyone know why is this happening and is there any fix for this issue (other than SHA1)?

* Version of dependency-check used *
Dependency-Check Core version 5.0.0-M2 with Apache Maven 3.3.9 and dependency-check-maven 5.2.1 plugin.

* Log file *

[WARNING] org.owasp.dependencycheck.xml.suppression.SuppressionParseException: org.xml.sax.SAXException: Line=5237, Column=34: cvc-complex-type.2.4.a: Invalid content was found starting with element 'packageUrl'. One of {"https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd":filePath, "https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd":sha1, "https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd":gav, "https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd":cpe, "https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd":cve, "https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd":cwe, "https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd":cvssBelow} is expected.

To Reproduce
Steps to reproduce the behavior:
Applying the suppression rule below into the suppression list and running a dep-check scan with it:

<suppress> <notes><![CDATA[ file name: spring-ws-security-3.0.7.RELEASE.jar ]]></notes> <packageUrl regex="true">^pkg:maven/org\.springframework\.ws/spring\-ws\-security@.*$</packageUrl> <cpe>cpe:/a:pivotal_software:spring_security</cpe> </suppress>

Expected behavior
A successful dep-check scan with spring-ws-security 3.0.7 dependency suppressed.

Additional context

question
Source
picture FrankA11en

Most helpful comment

The package URL is a new element that was added with the 1.3 schema. Please update your XML to reference the 1.3 schema: https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd

picture jeremylong on 22 Aug 2019
👍2

>All comments

The package URL is a new element that was added with the 1.3 schema. Please update your XML to reference the 1.3 schema: https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd

jeremylong picture jeremylong on 22 Aug 2019
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Mvbraathen picture Mvbraathen  路  3Comments
tediroca picture tediroca  路  3Comments
benji picture benji  路  3Comments
agisbert picture agisbert  路  4Comments
javixeneize picture javixeneize  路  4Comments