Skip to content

Commit

Permalink
Merge branch 'update-android-suppressions'
Browse files Browse the repository at this point in the history
  • Loading branch information
albin-mullvad committed Jun 7, 2024
2 parents bd71954 + b609976 commit 8a7bc6a
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 21 deletions.
28 changes: 17 additions & 11 deletions android/config/dependency-check-suppression.xml
Original file line number Diff line number Diff line change
Expand Up @@ -8,17 +8,7 @@
<packageUrl regex="true">^pkg:maven/org\.jetbrains\.kotlin/kotlin\-stdlib.*@.*$</packageUrl>
<cve>CVE-2022-24329</cve>
</suppress>
<suppress until="2024-06-01Z">
<notes><![CDATA[
This CVE only affect the leakCanary build type which is limited to memory leak testing etc.
This will most likely be solved by bumping to a future version of the leakcanary dependency
where a fixed version of okio is used.
https://nvd.nist.gov/vuln/detail/CVE-2023-3635
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.squareup\.okio/okio@.*$</packageUrl>
<cve>CVE-2023-3635</cve>
</suppress>
<suppress until="2024-06-01Z">
<suppress until="2024-09-01Z">
<notes><![CDATA[
This CVE only affect programs using loadXML and is derived from using ksp.
We do not use the loadXML, ksp is used to generate navigation paths in our code
Expand All @@ -35,4 +25,20 @@
<packageUrl regex="true">^pkg:maven/androidx\.test\.services/storage@.*$</packageUrl>
<cve>CVE-2014-9152</cve>
</suppress>
<suppress until="2024-12-01Z">
<notes><![CDATA[
False-positive only affecting javascript gRPC packages.
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.grpc/protoc\-gen\-grpc\-kotlin@.*$</packageUrl>
<cve>CVE-2020-7768</cve>
</suppress>
<suppress until="2024-12-01Z">
<notes><![CDATA[
No impact on this app since it uses UDS rather than HTTP2.
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.grpc/.*@.*$</packageUrl>
<cve>CVE-2023-32732</cve>
<cve>CVE-2023-33953</cve>
<cve>CVE-2023-44487</cve>
</suppress>
</suppressions>
19 changes: 9 additions & 10 deletions android/test/test-suppression.xml
Original file line number Diff line number Diff line change
@@ -1,15 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress until="2024-06-01Z">
<notes><![CDATA[
This CVE only affect the leakCanary build type which is limited to memory leak testing etc.
This will most likely be solved by bumping to a future version of the leakcanary dependency
where a fixed version of okio is used.
https://nvd.nist.gov/vuln/detail/CVE-2023-3635
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.squareup\.okio/okio.*@.*$</packageUrl>
<cve>CVE-2023-3635</cve>
</suppress>
<suppress until="2024-09-01Z">
<notes><![CDATA[
False-positive related to Drupal rather than Android development.
Expand All @@ -18,4 +8,13 @@
<packageUrl regex="true">^pkg:maven/androidx\.test\.services/storage@.*$</packageUrl>
<cve>CVE-2014-9152</cve>
</suppress>
<suppress until="2024-12-01Z">
<notes><![CDATA[
No impact on this app since it uses UDS rather than HTTP2.
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.grpc/grpc.*-stub@.*$</packageUrl>
<cve>CVE-2023-32732</cve>
<cve>CVE-2023-33953</cve>
<cve>CVE-2023-44487</cve>
</suppress>
</suppressions>

0 comments on commit 8a7bc6a

Please sign in to comment.