I think it's better to add a VEX (Vulnerability Exploitability Exchange) upload and Dependency-Track supports that.
There is an API call for this: /api/v1/vex
Here you can find some examples of VEX files: https://github.com/CycloneDX/bom-examples/tree/master/VEX

I think that would be a better solution as it is not a proprietary extension.

I'm not sure if this is what I need for my use-case. In my pipeline I generate a new BOM (with the cyclonedx-maven-plugin), upload it to Dependency-Track, suppress the CVE's that were already analysed, then finally execute the findings-goal, which would fail the pipeline if the findings are higher than the corresponding thresholds. I don't need the analysed vulnerabilities to be found in the findings again.

If I understand the principle of VEX correctly, I would need to reference the BOM, which in my case has a different reference each time, within the VEX for each vulnerability that I need to be suppressed in the "affects" block. Can I generate such a VEX within the pipeline after the upload, or am I understanding something wrong?

@kpe09 sorry for the delay in responding. I need to find time to look into this requirement and think about how this can be applied within the tool to broadly fit various use cases.

@kpe09 Yes, you can upload a VEX file after uploading your BOM file. But it is important, that you don't collect the findings before the VEX upload is completed and processed.
I used the VEX file as a replacement for the OWASP dependency check suppression file.

Here is a small example VEX file to suppress a false positive.

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "version": 1,
  "metadata" : {
    "timestamp" : "2024-11-22T00:00:00Z",
    "component" : {
      "type" : "library",
      "bom-ref" : "pkg:maven/ch.qos.logback.access/[email protected]?type=jar",
      "group" : "ch.qos.logback.access",
      "name" : "common",
      "version": "2.0.3",
      "description" : "Logback Access Common module",
      "purl" : "pkg:maven/ch.qos.logback.access/[email protected]?type=jar"
    }
  },
  "vulnerabilities": [
    {
      "id": "CVE-2015-5723",
      "source": {
        "name": "NVD",
        "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5723"
      },
      "analysis": {
        "state": "false_positive",
        "response": ["will_not_fix"],
        "detail": "Statement: false_positive - invalid cpe pattern matching (doctrine-project:common pattern mismatch)"
      },
      "affects": [
        {
          "ref": "pkg:maven/ch.qos.logback.access/[email protected]?type=jar"
        }
      ]
    }
  ]
}

Another Maven plugin with its own suppression file can be found here: https://github.com/iabudiab/dependency-track-maven-plugin
But I prefer the standard VEX file format.