Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update android suppressions #6328

Merged
merged 3 commits into from
Jun 7, 2024
Merged

Update android suppressions #6328

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
7d761d2
Push suppression of CVE-2018-1000840
albin-mullvad Jun 7, 2024
33be623
Remove outdated suppression for CVE-2023-3635
albin-mullvad Jun 7, 2024
b609976
Suppress gRPC CVEs
albin-mullvad Jun 7, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 17 additions & 11 deletions android/config/dependency-check-suppression.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,17 +8,7 @@
<packageUrl regex="true">^pkg:maven/org\.jetbrains\.kotlin/kotlin\-stdlib.*@.*$</packageUrl>
<cve>CVE-2022-24329</cve>
</suppress>
<suppress until="2024-06-01Z">
<notes><![CDATA[
This CVE only affect the leakCanary build type which is limited to memory leak testing etc.
This will most likely be solved by bumping to a future version of the leakcanary dependency
where a fixed version of okio is used.
https://nvd.nist.gov/vuln/detail/CVE-2023-3635
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.squareup\.okio/okio@.*$</packageUrl>
<cve>CVE-2023-3635</cve>
</suppress>
<suppress until="2024-06-01Z">
<suppress until="2024-09-01Z">
<notes><![CDATA[
This CVE only affect programs using loadXML and is derived from using ksp.
We do not use the loadXML, ksp is used to generate navigation paths in our code
Expand All @@ -35,4 +25,20 @@
<packageUrl regex="true">^pkg:maven/androidx\.test\.services/storage@.*$</packageUrl>
<cve>CVE-2014-9152</cve>
</suppress>
<suppress until="2024-12-01Z">
<notes><![CDATA[
False-positive only affecting javascript gRPC packages.
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.grpc/protoc\-gen\-grpc\-kotlin@.*$</packageUrl>
<cve>CVE-2020-7768</cve>
</suppress>
<suppress until="2024-12-01Z">
<notes><![CDATA[
No impact on this app since it uses UDS rather than HTTP2.
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.grpc/.*@.*$</packageUrl>
<cve>CVE-2023-32732</cve>
<cve>CVE-2023-33953</cve>
<cve>CVE-2023-44487</cve>
</suppress>
</suppressions>
19 changes: 9 additions & 10 deletions android/test/test-suppression.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,15 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress until="2024-06-01Z">
<notes><![CDATA[
This CVE only affect the leakCanary build type which is limited to memory leak testing etc.
This will most likely be solved by bumping to a future version of the leakcanary dependency
where a fixed version of okio is used.
https://nvd.nist.gov/vuln/detail/CVE-2023-3635
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.squareup\.okio/okio.*@.*$</packageUrl>
<cve>CVE-2023-3635</cve>
</suppress>
<suppress until="2024-09-01Z">
<notes><![CDATA[
False-positive related to Drupal rather than Android development.
Expand All @@ -18,4 +8,13 @@
<packageUrl regex="true">^pkg:maven/androidx\.test\.services/storage@.*$</packageUrl>
<cve>CVE-2014-9152</cve>
</suppress>
<suppress until="2024-12-01Z">
<notes><![CDATA[
No impact on this app since it uses UDS rather than HTTP2.
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.grpc/grpc.*-stub@.*$</packageUrl>
<cve>CVE-2023-32732</cve>
<cve>CVE-2023-33953</cve>
<cve>CVE-2023-44487</cve>
</suppress>
</suppressions>
Loading