Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Suppression by CPE in 5.2.2 not working?
See original GitHub issueSince the NVD XML feeds were shutoff, we upgraded our plugin to 5.2.2. We are in the process of changing our suppression file from 1.1 to 1.3 XSD. When the plugin fails a build, we open the report and copy the CPE suppression(s), add it to our suppression file and re-build. Suppression by CPE for jackson-databind doesn’t seem to work, the build still fails.
<suppress>
<notes><![CDATA[file name: jackson-databind-2.9.10.jar]]></notes>
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
<cpe>cpe:/a:fasterxml:jackson</cpe>
</suppress>
cpe:/a:fasterxml:jackson-databind doesn’t work, either.
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '6.0':
[ERROR]
[ERROR] jackson-databind-2.9.8.jar: CVE-2019-14379, CVE-2019-14439, CVE-2019-12086
If we add an entry for each individual jackson-databind CVE (9 of them), then the build passes.
Is this intended? Do I not understand how this is supposed to work?
Issue Analytics
- State:
- Created 4 years ago
- Reactions:1
- Comments:6 (1 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I faced the exact similar issue. Rather than adding each CVE to suppression.xml , I bumped the jackson version to 2.10.0 . The build passed. But agree CPE suppression should work. Its annoying to add each individual CVEs.
Great, thanks. Missed that
<cve>can now be used multiple times.