Is your feature request related to a problem? Please describe.
A feature to find unused suppressions from the provided XML was added (thanks!), in our Gradle config we use failBuildOnUnusedSuppressionRule = true for that.
However, it seems only whole suppression entries are checked whether they are unused.
We collect suppressions like so, for example for the package vite:
<suppress>
<notes><![CDATA[
We are not exposing the Vite dev server to the network.
]]></notes>
<packageUrl regex="true">^pkg:npm/vite@.*$</packageUrl>
<cve>CVE-2023-34092</cve>
<vulnerabilityName>GHSA-353f-5xf4-qw67</vulnerabilityName>
<cve>CVE-2024-23331</cve>
<vulnerabilityName>GHSA-c24v-8rfc-w8vw</vulnerabilityName>
<cve>CVE-2025-32395</cve>
<vulnerabilityName>GHSA-356w-63v5-8wf4</vulnerabilityName>
<vulnerabilityName>GHSA-859w-5945-r5v3</vulnerabilityName>
<cve>CVE-2024-45811</cve>
<vulnerabilityName>GHSA-g4jq-h2w9-997c</vulnerabilityName>
<vulnerabilityName>GHSA-jqfw-vq24-v9c3</vulnerabilityName>
<cve>CVE-2025-30208</cve>
<cve>CVE-2025-31125</cve>
<cve>CVE-2025-62522</cve>
<vulnerabilityName>GHSA-93m4-6634-74q7</vulnerabilityName>
</suppress>We use multiple versions of vite, see the following report snippet below. As you can see the older vite version has more suppressed vulnerabilities.
Describe the solution you'd like
If I update the older vite version also to 6.3.5 for example, I would like to see those suppressions (like CVE-2023-34092) as unused if I use failBuildOnUnusedSuppressionRule.
Solution: Check if any sub-entry of a suppression is unused so it is possible to remove them.
Describe alternatives you've considered
One could separate suppressions so each suppression only has one cve or vulnerabilityName entry, however that would bloat the suppressions XML file.
Is your feature request related to a problem? Please describe.
A feature to find unused suppressions from the provided XML was added (thanks!), in our Gradle config we use
failBuildOnUnusedSuppressionRule = truefor that.However, it seems only whole suppression entries are checked whether they are unused.
We collect suppressions like so, for example for the package
vite:We use multiple versions of vite, see the following report snippet below. As you can see the older vite version has more suppressed vulnerabilities.
Describe the solution you'd like
If I update the older vite version also to 6.3.5 for example, I would like to see those suppressions (like CVE-2023-34092) as unused if I use
failBuildOnUnusedSuppressionRule.Solution: Check if any sub-entry of a suppression is unused so it is possible to remove them.
Describe alternatives you've considered
One could separate suppressions so each suppression only has one
cveorvulnerabilityNameentry, however that would bloat the suppressions XML file.