OWASP Dependency check, how to use suppressions-CodePudding

I have a build in CI failing on a the OWASP dependency check. For example

[HIGH] CVE-2021-37136 - io.netty:netty-codec-4.1.66.Final

I understand I can add a suppression in owaspDependencyCheckSuppressions.xml to fix this.

It's something I haven't done before, but there is a guide here - https://jeremylong.github.io/DependencyCheck/general/suppression.html which says ...

"Suppressing these false positives is fairly easy using the HTML report. In the report next to each CPE identified (and on CVE entries) there is a suppress button. Clicking the suppression button will create a dialogue box which you can simple hit Control-C to copy the XML that you would place into a suppression XML file"

I have 2 questions

#1 Do you know where I can find this HTML report? I thought it might be linked in CI (I'm using Circle CI), but I can't spot it there :(

#2 An example suppression is given in the guide

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
   <suppress>
      <notes><![CDATA[
      file name: some.jar
      ]]></notes>
      <sha1>66734244CE86857018B023A8C56AE0635C56B6A1</sha1>
      <cpe>cpe:/a:apache:struts:2.0.0</cpe>
   </suppress>
</suppressions>

The guide goes on to say

"The above XML file will suppress the cpe:/a:apache:struts:2.0.0 from any file with the a matching SHA1 hash."

What is meant by "any file"? Does this mean any Java class which uses the dependency?

Thanks :)

CodePudding user response：

#1 Click on the 'artifacts' tab on the OWASP dependency check task in CI and the html report is there.

#2 'File' in this context means the file inside the jar that is warranting the dependency issue. It will be given to you in the html report.