From 7d761d2600787d373639abe5e20ed51805880cd8 Mon Sep 17 00:00:00 2001 From: Albin Date: Fri, 7 Jun 2024 10:44:56 +0200 Subject: [PATCH 1/3] Push suppression of CVE-2018-1000840 Pushing the suppression a few months so that we can revisit it after bumping to K2. --- android/config/dependency-check-suppression.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/android/config/dependency-check-suppression.xml b/android/config/dependency-check-suppression.xml index 5415813d1a1e..c7fd525968f4 100644 --- a/android/config/dependency-check-suppression.xml +++ b/android/config/dependency-check-suppression.xml @@ -18,7 +18,7 @@ ^pkg:maven/com\.squareup\.okio/okio@.*$ CVE-2023-3635 - + Date: Fri, 7 Jun 2024 10:46:22 +0200 Subject: [PATCH 2/3] Remove outdated suppression for CVE-2023-3635 --- android/config/dependency-check-suppression.xml | 10 ---------- android/test/test-suppression.xml | 10 ---------- 2 files changed, 20 deletions(-) diff --git a/android/config/dependency-check-suppression.xml b/android/config/dependency-check-suppression.xml index c7fd525968f4..cfc9a57563cc 100644 --- a/android/config/dependency-check-suppression.xml +++ b/android/config/dependency-check-suppression.xml @@ -8,16 +8,6 @@ ^pkg:maven/org\.jetbrains\.kotlin/kotlin\-stdlib.*@.*$ CVE-2022-24329 - - - ^pkg:maven/com\.squareup\.okio/okio@.*$ - CVE-2023-3635 - - - - ^pkg:maven/com\.squareup\.okio/okio.*@.*$ - CVE-2023-3635 - Date: Fri, 7 Jun 2024 11:23:58 +0200 Subject: [PATCH 3/3] Suppress gRPC CVEs These CVEs are a combination of a false-positive and CVEs not affecting our app. --- android/config/dependency-check-suppression.xml | 16 ++++++++++++++++ android/test/test-suppression.xml | 9 +++++++++ 2 files changed, 25 insertions(+) diff --git a/android/config/dependency-check-suppression.xml b/android/config/dependency-check-suppression.xml index cfc9a57563cc..589b5d5317fa 100644 --- a/android/config/dependency-check-suppression.xml +++ b/android/config/dependency-check-suppression.xml @@ -25,4 +25,20 @@ ^pkg:maven/androidx\.test\.services/storage@.*$ CVE-2014-9152 + + + ^pkg:maven/io\.grpc/protoc\-gen\-grpc\-kotlin@.*$ + CVE-2020-7768 + + + + ^pkg:maven/io\.grpc/.*@.*$ + CVE-2023-32732 + CVE-2023-33953 + CVE-2023-44487 + diff --git a/android/test/test-suppression.xml b/android/test/test-suppression.xml index ef8f8c470262..fac53625c9a1 100644 --- a/android/test/test-suppression.xml +++ b/android/test/test-suppression.xml @@ -8,4 +8,13 @@ ^pkg:maven/androidx\.test\.services/storage@.*$ CVE-2014-9152 + + + ^pkg:maven/io\.grpc/grpc.*-stub@.*$ + CVE-2023-32732 + CVE-2023-33953 + CVE-2023-44487 +