Skip to content

chore(fp): use more conservative CPE 22 prefix suppression syntax to avoid false negatives#8509

Merged
jeremylong merged 4 commits into
dependency-check:mainfrom
chadlwilson:conservative-cpe-suppressions
May 19, 2026
Merged

chore(fp): use more conservative CPE 22 prefix suppression syntax to avoid false negatives#8509
jeremylong merged 4 commits into
dependency-check:mainfrom
chadlwilson:conservative-cpe-suppressions

Conversation

@chadlwilson

@chadlwilson chadlwilson commented May 18, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Description of Change

CPE 2.2 URI suppressions are string prefix based off a fully formed URI; without the colon we risk matching against the wrong product, sometimes sub-products.

DependencyCheck/core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java

Lines 778 to 786 in c82a59c

final String id;
try {
id = cpeId.toCpe22Uri().toLowerCase();
} catch (CpeEncodingException ex) {
LOGGER.debug("Unable to convert CPE to 22 URI?" + cpeId);
return false;
}
final String check = suppressionEntry.getValue().toLowerCase();
return id.startsWith(check);

It's possible some of these are intentional product prefixes; but probably better to address these one-by-one if so. The current ones risk creating false negatives, especially over time as new sub-products are added.

Related issues

Have test cases been added to cover the new functionality?

N/A

@chadlwilson
fix: generate more conservative CPE prefix suppressions via false pos…
6b8c709 
…itive ops

CPE suppressions are string prefix based off a fully formed URI; without the colon we risk matching against the wrong product, sometimes sub-products

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
@chadlwilson
chore(fp): convert base suppressions to more conservative CPE prefix …
1abe7cc 
…suppressions

CPE suppressions are string prefix based off a fully formed URI; without the colon we risk matching against the wrong product, sometimes sub-products.

It's possible some of these are intentional product prefixes; but probably better to address these one-by-one if so.

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
@boring-cyborg boring-cyborg Bot added the core changes to core label May 18, 2026
@chadlwilson chadlwilson mentioned this pull request May 18, 2026
Merged
@jeremylong jeremylong added this to the 13.0.0 milestone May 19, 2026
@chadlwilson

chadlwilson commented May 19, 2026

Copy link
Copy Markdown
Collaborator Author

Thank for dealing with the conflicts for me, you didn't have to do that, so it's appreciated 🙏🏻

@jeremylong jeremylong merged commit f740447 into dependency-check:main May 19, 2026
15 checks passed
@chadlwilson chadlwilson deleted the conservative-cpe-suppressions branch May 19, 2026 11:49
@chadlwilson chadlwilson mentioned this pull request May 25, 2026
Merged
@github-actions github-actions Bot locked as resolved and limited conversation to collaborators Jun 19, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@jeremylong jeremylong jeremylong approved these changes

Assignees

No one assigned

Labels

core changes to core

Projects

None yet

Milestone

13.0.0

Development

Successfully merging this pull request may close these issues.

2 participants

@chadlwilson @jeremylong