How does the Hosted Suppression File work when using a Database Server?

Question

How does the Hosted Suppression File work when using a Database Server?

juanmanuelromeraferrio opened this issue 3 months ago · comments

Juan Manuel Romera commented 3 months ago

Hi,

I'm implementing Dependency Check using a Database Server. Before this, I was using the CLI App with an update using an H2 Database, and the check process was using the Database hosted on the same machine where the update process was running.

I verified that the update process is responsible for copying the Hosted Suppression File to the specified Database Path, which worked fine in my last implementation.

Now, with the Database Server, on the machines where I execute the check process, I don't set a data path because the Database is on a Server.

Consequently, I'm encountering the following warning:

WARN - Hosted Suppressions file is empty or missing - attempting to force the update

How should I solve this?

Juan Manuel Romera commented 2 months ago

Thanks!

Hans Aikema · Answer 1 · Sat Feb 24 2024 01:50:28 GMT+0800 (China Standard Time)

hosted suppression file is unrelated to the database.

the database holds NVD vulnerability data

various other 'internet access required' resources can be published on an intranet and then customized for the URL

https://jeremylong.github.io/DependencyCheck/data/index.html

Lzmupupup · Answer 2 · Thu Feb 29 2024 09:49:39 GMT+0800 (China Standard Time)

hosted suppression file is unrelated to the database.

the database holds NVD vulnerability data

various other 'internet access required' resources can be published on an intranet and then customized for the URL

https://jeremylong.github.io/DependencyCheck/data/index.html

Please can you tell me how to use it on an intranet

Hans Aikema · Answer 3 · Thu Feb 29 2024 15:30:52 GMT+0800 (China Standard Time)

@Lzmupupup How about you read the documentation linked (including its subpages and the tool documentation pages on the various *url configuration settings? The various pages tell you what to do.

Then tell us what you did and what's still breaking for you

Juan Manuel Romera · Answer 4 · Tue Mar 05 2024 02:15:21 GMT+0800 (China Standard Time)

Hi @aikebah,

Hi,

I'm using a centralized database, so I decided to upload the publishSuppression.xml generated by the update process to my company's Artifactory.

Then, on the clients that execute the check process, my idea is to download this file and share it with Dependency Check CLI Tool.

If I add the --disableHostedSuppressions arg and include the publishedSuppression.xml in the --suppression files list, would the behavior be the same as using the Hosted Suppression File?

Thanks!

Hans Aikema · Answer 5 · Tue Mar 05 2024 06:14:14 GMT+0800 (China Standard Time)

@juanmanuelromeraferrio That would yield the same result indeed.
Note that instead of disabling it you could also use the --hostedSuppressionsUrl to point to the Artifactory URL for the hosted suppressions file.
For the en-result it would not matter, as the hosted suppressions and the project-supplied suppressions get merged together into a single set of suppression rules.