Skip to content

fix(fp): suppress non-golang false positives for distribution project#8409

Merged
jeremylong merged 1 commit intodependency-check:generatedSuppressionsfrom
chadlwilson:patch-1
Apr 11, 2026
Merged

fix(fp): suppress non-golang false positives for distribution project#8409
jeremylong merged 1 commit intodependency-check:generatedSuppressionsfrom
chadlwilson:patch-1

Conversation

@chadlwilson
Copy link
Copy Markdown
Collaborator

@chadlwilson chadlwilson commented Apr 10, 2026
edited
Loading

Description of Change

The distribution project: https://github.com/distribution/distribution is a golang toolkit with an extremely generic name likely to generate false positives in many different places.

This change proposes a generic suppression against anything that's not golang, as a workaround for lack of support for the extended attributes in CPEs (:go:) as denoted in NVD (surprisingly given I think it only has one language).

Related issues

Have test cases been added to cover the new functionality?

N/A

@jeremylong jeremylong merged commit e0a5d30 into dependency-check:generatedSuppressions Apr 11, 2026
1 check passed
@jeremylong
Copy link
Copy Markdown
Collaborator

jeremylong commented Apr 11, 2026

publishing here: https://github.com/dependency-check/DependencyCheck/actions/runs/24285348794

@jeremylong jeremylong added this to the 12.2.1 milestone Apr 11, 2026
@chadlwilson chadlwilson removed this from the 12.2.1 milestone Apr 11, 2026
@chadlwilson chadlwilson deleted the patch-1 branch April 11, 2026 15:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jeremylong jeremylong jeremylong approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chadlwilson @jeremylong