Dependency Check Vulnerability Suppression

The dependency-check utility comes with the built-in ability to suppress/ignore specific vulnerabilities, making it easy to manage findings that cannot be or do not need to be fixed.

Tutorial

1. Identify the vulnerability you wish to suppress by reviewing the dependency-check-report.html file in the dependency-check job's artifacts

2. Click the suppress button next to the vulnerability or package identifier you wish to suppress

3. Copy the XML content of the popup dialog (if you haven't already suppressed vulnerabilities for the repository you should click Complete XML Doc before copying)

4. Create an XML file anywhere in your repository (you can name it whatever you'd like)

5. Paste the XML content you copied in step #3 into the XML file you just created

6. Set the DEPENDENCY_CHECK_EXTRA_ARGS pipeline variable to --failOnCVSS <YOUR_CVSS_FAIL_SCORE> --suppression <PATH_TO_XML_FILE> in your GitLab project's Settings→CI/CD→Variables

INFO

• You will need to provide a --failOnCVSS score in the DEPENDENCY_CHECK_EXTRA_ARGS even if you did not have a value set for that variable before. (the default score is 7.6)
• The path to the XML file is relative to the root of your repository