I realized we've likely messed up the generated suppression and the base suppression files with a few of these PRs. We have, in several releases, copied the contents of the generated suppression into the base suppression file. This is done to support users who operate in an offline mode. As such, an PR that has updated just the generated suppressions has likely left the original suppressions in the base suppression file shipped with ODC.

Yeah, I have been meaning to discuss that. I don't really think it has screwed anything up generally (as we are augmenting suppressions rather than dealing with false negatives), but it has made it more indeterministic and practically impossible to reduce the breadth of a suppression in a predictable manner.

Personally I don't really like the practice of copying the suppressions across, as it makes the suppressions even more impossible to maintain than they already are. It's made even worse because

• they are across two branches you can't even see together at the same time easily
• there is no practical way you can ever de-duplicate that accounts for old ODC versions with new hosted-suppressions AND newer ODC with stale/offline hosted suppressions ... without creating gaps

In my opinion, if the intent is to support offline for hosted suppressions at build time we should automatically fetch and package an exact snapshot of the hosted suppressions file. At runtime, that would be used to pre-populate the configured data directory location's cache (if it is newer than the current version), and the files are kept entirely separate, and predictably updated every official release; so not duplicating rules intentionally across both.

Or we just stop supporting that offline thing entirely and treat it the same way as other online data sources? If you need to run offline you need to sort out out your own practice for updating the hosted suppressions just like you have to for NVD?