Functionality to suppress CVEs

[kpe09]

A good function to have is the ability to suppress certain CVEs, so that they are shown as suppressed on the Dependency Track server, without any manual interaction with the web-app, and thus won't be considered for the findings goals if it is configured to fail the build.

A way to implement this would be adding a configuration where you can have a list of CVEs, with additional info as state, justification and details. This suppression would be triggered while uploading a BOM, so that all further goals after the upload get the actual list of findings.

[henschi]

I think it's better to add a VEX (Vulnerability Exploitability Exchange) upload and Dependency-Track supports that.
There is an API call for this: /api/v1/vex
Here you can find some examples of VEX files: https://github.com/CycloneDX/bom-examples/tree/master/VEX

I think that would be a better solution as it is not a proprietary extension.

[kpe09]

I'm not sure if this is what I need for my use-case. In my pipeline I generate a new BOM (with the cyclonedx-maven-plugin), upload it to Dependency-Track, suppress the CVE's that were already analysed, then finally execute the findings-goal, which would fail the pipeline if the findings are higher than the corresponding thresholds. I don't need the analysed vulnerabilities to be found in the findings again.

If I understand the principle of VEX correctly, I would need to reference the BOM, which in my case has a different reference each time, within the VEX for each vulnerability that I need to be suppressed in the "affects" block. Can I generate such a VEX within the pipeline after the upload, or am I understanding something wrong?

[pmckeown]

@kpe09 sorry for the delay in responding. I need to find time to look into this requirement and think about how this can be applied within the tool to broadly fit various use cases.