MergeBase CLT Command Line Tool Suppression (.mergebase.suppressions.json)

Place a “.mergebase.suppressions.json” file at the root of your project (in the same directory as the “.git/” directory).

This file controls which vulnerabilities should be suppressed by the mergebase.jar command-line-tool.

Each “suppression” entry can contain any (or all) of the following:

• “name” – the name of the component to suppress
• “version” – the specific version of the component to suppress
• “cves” – the list of CVEs to suppress
• “path” – the subdirectory to suppress

A suppression takes effect when every coordinate in the suppression entry matches the vulnerability under consideration. The more coordinates supplied in a single suppression entry, the more selective it becomes.

Each suppression entry can also include an optional “expires” date (YYYY-MM-DD), and an optional “comment”.

Example File (“project-root/.mergebase.suppressions.json”):

 {  
  "about":"https://mergebase.com/clt-suppressions", 
   "clt.suppressions":\[ 
     {  
       "name":"npm:uglify-js",  
       "cves":\["CVE-2020-28488"\],  
       "expires": "2022-12-31",  
       "comment": "This entry suppresses CVE-2020-28488 when it occurs against npm:uglify-js"  
     }, 
   
     {  
       "name":"nuget:Microsoft.NETCore.App",  
       "version":"2.0.0",  
       "expires": "2021-12-31",  
       "comment": "This entry suppresses \*ALL\* vulnerabilities related to nuget:Microsoft.NETCore.App version 2.0.0"  
     },  
   
     {  
       "cves":\["CVE-2018-8416"\],  
       "comment": "This entry suppresses CVE-2018-8416 for all components. This entry never expires!"  
     }  
   \]  
 }

You can run “java -jar mergebase.jar –debug” (with the “–debug” flag) to see how suppressions are being applied.

Example:

DEBUG: using /opt/mergebase/src/orleans/.mergebase.suppressions.json for suppressions  
DEBUG: suppressions.json suppressed VULN=CVE-2018-8416 FOR=nuget:Microsoft.NETCore.App

For more information or support, contact us.