From 1338f01c46ba1a527e0db6e0fec10e2a620f12d9 Mon Sep 17 00:00:00 2001 From: Konrad Windszus Date: Fri, 6 Mar 2026 17:41:15 +0100 Subject: [PATCH 1/3] Clarify how suppress items are matched against files This closes #8351 --- src/site/markdown/general/suppression.md | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/src/site/markdown/general/suppression.md b/src/site/markdown/general/suppression.md index 5ec418e0a1..ff5cfa88f2 100644 --- a/src/site/markdown/general/suppression.md +++ b/src/site/markdown/general/suppression.md @@ -22,8 +22,19 @@ A sample suppression file would look like: The above XML file will suppress the cpe:/a:apache:struts:2.0.0 from any file with the a matching SHA1 hash. The following shows some other ways to suppress individual findings. Note the ways to select files using either -the sha1 hash or the filePath (the filePath can also be a regex). Additionally, there are several things that -can be suppressed - individual CPEs, individual CVEs, or all CVE entries below a specified CVSS score. The most common + +- their sha1 hash (via element `), +- their package URL (via element ``), +- their Maven like coordinates (groupId/namespace, artifactId/name and version via element ``), or +- their file path (via element ``). + +The latter three can optionally be given as regular expression. The `` value is matched against the dependency +specific software identifiers (can be looked up from the report) and `` against these identifiers after they have been mapped +to coordinates via `PurlIdentifier.toGav()`. The latter is not always available while the former is mandatory. +The `` value is matched against the OS-specific absolute file path of the according dependency +(for example a path inside the local Maven repository). + +Additionally, there are several things that can be suppressed - individual CPEs, individual CVEs, or all CVE entries below a specified CVSS score. The most common would be suppressing CPEs based off of SHA1 hashes or filePath (regexes) - these entries can be generated using the HTML version of the report. The other common scenario would be to ignore all CVEs below a certain CVSS threshold. From 5b80c3ae47a7c6a7840a8e07a7bdf11b993dcdd4 Mon Sep 17 00:00:00 2001 From: Konrad Windszus Date: Wed, 1 Apr 2026 17:57:01 +0200 Subject: [PATCH 2/3] Update src/site/markdown/general/suppression.md Co-authored-by: Jeremy Long --- src/site/markdown/general/suppression.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/site/markdown/general/suppression.md b/src/site/markdown/general/suppression.md index ff5cfa88f2..5688224558 100644 --- a/src/site/markdown/general/suppression.md +++ b/src/site/markdown/general/suppression.md @@ -34,8 +34,8 @@ to coordinates via `PurlIdentifier.toGav()`. The latter is not always available The `` value is matched against the OS-specific absolute file path of the according dependency (for example a path inside the local Maven repository). -Additionally, there are several things that can be suppressed - individual CPEs, individual CVEs, or all CVE entries below a specified CVSS score. The most common -would be suppressing CPEs based off of SHA1 hashes or filePath (regexes) - these entries can be generated using the +Additionally, there are several ways to suppress vulnerabilities: individual CPEs, individual CVEs, or all vulnerabilities below a specified CVSS score. The most common +would be suppressing CPEs based on the identified Package URL (PURL) - these suppression entries can be generated using the HTML version of the report. The other common scenario would be to ignore all CVEs below a certain CVSS threshold. ```xml From 6a5729ae5e9503a1112195e0f75bb00fef35f66c Mon Sep 17 00:00:00 2001 From: Konrad Windszus Date: Wed, 1 Apr 2026 18:27:15 +0200 Subject: [PATCH 3/3] Clarify --- src/site/markdown/general/suppression.md | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/src/site/markdown/general/suppression.md b/src/site/markdown/general/suppression.md index 5688224558..9b056830df 100644 --- a/src/site/markdown/general/suppression.md +++ b/src/site/markdown/general/suppression.md @@ -23,19 +23,20 @@ The above XML file will suppress the cpe:/a:apache:struts:2.0.0 from any file wi The following shows some other ways to suppress individual findings. Note the ways to select files using either -- their sha1 hash (via element `), -- their package URL (via element ``), +- their sha1 hash (via element ``), +- their [package URL (PURL)][purl] (via element ``), - their Maven like coordinates (groupId/namespace, artifactId/name and version via element ``), or - their file path (via element ``). The latter three can optionally be given as regular expression. The `` value is matched against the dependency specific software identifiers (can be looked up from the report) and `` against these identifiers after they have been mapped -to coordinates via `PurlIdentifier.toGav()`. The latter is not always available while the former is mandatory. +to coordinates via `PurlIdentifier.toGav()`. The `` value is matched against the OS-specific absolute file path of the according dependency (for example a path inside the local Maven repository). -Additionally, there are several ways to suppress vulnerabilities: individual CPEs, individual CVEs, or all vulnerabilities below a specified CVSS score. The most common -would be suppressing CPEs based on the identified Package URL (PURL) - these suppression entries can be generated using the +Additionally, there are several ways to suppress vulnerabilities: individual CPEs, individual CVEs, or all vulnerabilities below a specified CVSS score. + +The most common would be suppressing CPEs based on the identified [Package URL (PURL)][purl] - these suppression entries can be generated using the HTML version of the report. The other common scenario would be to ignore all CVEs below a certain CVSS threshold. ```xml @@ -177,3 +178,6 @@ Please see the appropriate configuration option in each interfaces configuration - [Gradle Plugin](../dependency-check-gradle/configuration.html) - [Ant Task](../dependency-check-ant/configuration.html) - [Jenkins Plugin](../dependency-check-jenkins/index.html) + + +[purl]: https://packageurl.org/ \ No newline at end of file