Global Suppression for Withdrawn or Rejected CVEs/Vulnerabilities
jreed-cartago opened this issue · comments
Current Behavior
There are a few vulnerability items listed that are actually no longer valid as they have been withdrawn or rejected. Yet if a project has a new version and the BOM is processed and although we've already marked the CVE as a False Positive and set it for suppression in a previous version DependencyTrack marks the new version as vulnerable again.
Proposed Behavior
Provide the ability in the Vulnerabilities listings the chance to mark a vulnerability as suppressed so that it no longer used during BOM processing. This way it saves the auditor time as there are less false positives that have already been dealt with appearing in the audit list when a new version is created.
Checklist
- I have read and understand the contributing guidelines
- I have checked the existing issues for whether this enhancement was already requested
I think a global suppression in the vulnerability list is useful. But it is useful regardless of the state of the vulnerability. There are cases where a global suppression makes sense, even for valid/active vulnerabilities. Not sure if there's a feature request for that already somewhere?
More specific to rejected/withdrawn vulnerabilities it might be better to add logic to DT to reflect the status of updated vulnerabilities in DT so rejections and withdrawals are handled correctly. Or at least not generating new vulnerabilities during SBOM processing.
I did a search but nothing came up for me. Of course it could be that my search input wasn't all that good.
When I was writing this up I did give a thought that it could be used to suppress any issue. I just wasn't sure how useful that would be in general, but the ability to reduce the false positives by suppressing them completely would be a nice thing.
PR +1