0

I am trying to suppress certain vulnerabilities via a suppression.xml file. I am following the instructions of the assignment prompt by adding in the complete xml documentation to copy and paste into my suppression file. I am getting an error of "InitializationException: Warn initializing the suppression analyzer: Failed to load suppression.xml, caused by org.owasp.dependencycheck.xml.suppression.SuppressionParseException: org.xml.sax.SAXException: Line=14, Column=6: The processing instruction target matching "[xX][mM][lL]" is not allowed.." I do not know why this error is happening. I am fairly new to software security as well.

<suppressions
    xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
    <suppress>
        <notes><![CDATA[
  file name: spring-boot-2.2.4.RELEASE.jar
  ]]></notes>
        <packageUrl regex="true">
            ^pkg:maven/org\.springframework\.boot/spring\-boot@.*$
        </packageUrl>
        <cve>CVE-2022-27772</cve>
    </suppress>
</suppressions>

<suppressions
    xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
    <suppress>
        <notes><![CDATA[
  file name: logback-core-1.2.3.jar
  ]]></notes>
        <packageUrl regex="true">
            ^pkg:maven/ch\.qos\.logback/logback\-core@.*$
        </packageUrl>
        <cve>CVE-2021-42550</cve>
    </suppress>
</suppressions>

suppression.xml code

dur
  • 15,689
  • 25
  • 79
  • 125
Aaron535
  • 1
  • 3
  • See the official documentation for an example on how it should look: https://jeremylong.github.io/DependencyCheck/general/suppression.html – ledwinder96 May 25 '22 at 13:18

1 Answers1

1

The linked screenshot shows that the top elements are provided twice.

<?xml version="1.0" encoding="UTF-8"?>    
<suppressions
    xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">

You should only declare that once.

Your suppressions look fine. However, all <supress> tags should be provided sequentially and within the <suppression> tags in the XML file.

Try changing your suppression.xml to something like this:

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
    <suppress>
        <notes><![CDATA[file name: spring-boot-2.2.4.RELEASE.jar]]>
       </notes>
        <packageUrl regex="true">
            ^pkg:maven/org\.springframework\.boot/spring\-boot@.*$
        </packageUrl>
        <cve>CVE-2022-27772</cve>
    </suppress>
    <suppress>
        <notes><![CDATA[file name: logback-core-1.2.3.jar]]></notes>
        <packageUrl regex="true">
            ^pkg:maven/ch\.qos\.logback/logback\-core@.*$
        </packageUrl>
        <cve>CVE-2021-42550</cve>
    </suppress>
</suppressions>

Also: Where did the </element> tag come from? That can be completely removed.

ledwinder96
  • 241
  • 5
  • 13