I use the OWASP Dependency Check Maven plug-in to scan my project dependencies for reported vulnerabilities.
- I have developed three projects that I scan, lets call them App1, App2 and and internal library IntLib.
- Both App1 and App2 has a dependency on IntLib.
- IntLib in its turn has a dependency on the external library ExtLib.
- The OWASP check reports a vulnerability in ExtLib, let's call it Vul1.
- As a result, the scan of both App1 and App2 also report Vul1.
- I have a global suppression file where I like to add a rule that suppresses Vul1.
- But! The suppression rule should ONLY apply when the report results from a dependency on IntLib.
- If App1 or App2 adds a direct dependency on ExtLib then the rule should NOT apply.
Is there any way to create a rule in a OWASP Check suppression file that works in this way?
