OWASP Dependency Checker - Risk Acceptance/Inheritence

[emresaglam-dremio]

Hello all!

We are running the OWASP Dependency Scanner via Jenkins during build time using the Jenkins Plugin. We mark the false positives and suppressions in this same process.

When we are importing the OWASP Dependency Scanner results to DefectDojo, we want to inherit the suppressions that we maintain in the repo. The current parser only parses the vulnerabilities and not the suppressions in the XML file.

I added the suppression parsing abilities to the existing parser. I feel like it's tailored to my use case a bit. Here is how it works.

It parses <suppressedVulnerability> tag and uses the nested <notes> tag to document the Risk Acceptance/Mitigation Criteria. If the Notes field is not empty (meaning we documented the reason for suppression), it will mark the vulnerability as

            is_mitigated = True
            risk_accepted = True
            active = False

It will also mark the Mitigation field as the text content in the <notes> tag.

It cannot make a decision on if the vulnerability is mitigated vs if it's a false positive unless we standardize the Notes field.

If there is interest I can share the code and/or do a PR.

[damiencarol]

I think it's a missing feature. If DC implements this data we should improve the parser to manage them. Feel free to submit a PR, I will help you move forward!

[emresaglam-dremio]

PR sent ;) I hope I did everything right.
Thanks!!
Emre

[damiencarol]

taking a look