fix(fp): Consolidate false positive suppressions for graphql-java

[chadlwilson]

Description of Change

Consolidates the many FP suppressions for graphql-java CPE into a single negative lookahead. There is a single package that represents this project and its CPE.

Related issues

• fixes [FP]: graphql-java-client-runtime@3.0.1 flagged with CVE-2022-37734 #8089
• fixes [FP]: graphql-java-common-dependencies-3.0.1.pom flagged with CVE-2022-37734 #8091
• fixes [FP]: com.graphql-java-generator/graphql-java-common-runtime flagged with CVE-2022-37734 #8093
• fixes [FP]: com.graphql-java-generator/graphql-java-common-runtime flagged with CVE-2023-28867 #8094

Have test cases been added to cover the new functionality?

N/A - note merging to generated/hosted suppressions only

[jeremylong]

I realized we've likely messed up the generated suppression and the base suppression files with a few of these PRs. We have, in several releases, copied the contents of the generated suppression into the base suppression file. This is done to support users who operate in an offline mode. As such, an PR that has updated just the generated suppressions has likely left the original suppressions in the base suppression file shipped with ODC.

[chadlwilson]

Yeah, I have been meaning to discuss that. I don't really think it has screwed anything up generally (as we are augmenting suppressions rather than dealing with false negatives), but it has made it more indeterministic and practically impossible to reduce the breadth of a suppression in a predictable manner.

Personally I don't really like the practice of copying the suppressions across, as it makes the suppressions even more impossible to maintain than they already are. It's made even worse because

• they are across two branches you can't even see together at the same time easily
• there is no practical way you can ever de-duplicate that accounts for old ODC versions with new hosted-suppressions AND newer ODC with stale/offline hosted suppressions ... without creating gaps

In my opinion, if the intent is to support offline for hosted suppressions at build time we should automatically fetch and package an exact snapshot of the hosted suppressions file. At runtime, that would be used to pre-populate the configured data directory location's cache (if it is newer than the current version), and the files are kept entirely separate, and predictably updated every official release; so not duplicating rules intentionally across both.

Or we just stop supporting that offline thing entirely and treat it the same way as other online data sources? If you need to run offline you need to sort out out your own practice for updating the hosted suppressions just like you have to for NVD?

[jeremylong]

Great suggestion regarding just grabbing the latest generated suppression for each release.

[jeremylong]

First of three PRs to clean up the differences between the generated and base suppression file has been created #8116. It will download and utilize the generated suppression file during the build. Subsequent PRs will clean up the base suppression file.

[chadlwilson]

OK, will take a look tomorrow if I get a chance :-)