Excerpt from email sent to mailing list:
 
I am using the DependencyCheckPublisher in a Jenkinsfile. With the application-projects I have the agreement that false positives are placed into the cve-suppression file. In case the app-project accepts a risk, for example because there is no fix right now, they increase the threshold by one in the Jenkinsfile and commit/push/merge it.
 
Unfortunately, as soon as the amount of known vulnerability decreases, the app-projects do not adjust the threshold(s). From my point of view it is important to visualize all risks in the application. A usage of the cve-suppression file to accept risks leads to not visible risks.
 
I think of two solutions here:
1) Automatic decrease of unstableTotalHigh/unstableTotalNormal/failedTotalHigh/failedTotalNormal in case the actual threshold is higher than the amount of vulnerabilities for the category.
2) Usage of a file like the cve-suppression file for the jenkins file, but the risks are still shown.
 
After we know what we want, we can think about the implementation.
 
Just to add a disadvantage of solution 1: It is not clear why the threshold is decreased. So only the amount of vulnerabilities is traceable.