-
Notifications
You must be signed in to change notification settings - Fork 17
/
dependency-check-suppressions.xml
83 lines (83 loc) · 2.89 KB
/
dependency-check-suppressions.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress>
<notes><![CDATA[
file name: spring-web-5.3.24.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework/spring\-web@.*$</packageUrl>
<vulnerabilityName>CVE-2016-1000027</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
Snakeyaml is used by spring to parse application properties - see https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE-2022-1471 for details
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
<cve>CVE-2022-1471</cve>
<cve>CVE-2021-4235</cve>
<cve>CVE-2022-3064</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: aws-crt-0.19.11.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/software\.amazon\.awssdk\.crt/aws\-crt@.*$</packageUrl>
<cve>CVE-2022-31159</cve>
</suppress>
<suppress>
<notes><![CDATA[
Our apache commons packages don't include the old version with CVE-2021-37533
]]></notes>
<packageUrl regex="true">^pkg:maven/.*commons.*$</packageUrl>
<cve>CVE-2021-37533</cve>
</suppress>
<suppress>
<notes><![CDATA[
False positive - no utils_project used in our java dependencies
]]></notes>
<packageUrl regex="true">^pkg:maven/.*$</packageUrl>
<cve>CVE-2021-4277</cve>
</suppress>
<suppress>
<notes><![CDATA[
We don't use Guava's temp file creation
]]></notes>
<packageUrl regex="true">^pkg:maven/.*$</packageUrl>
<cve>CVE-2020-8908</cve>
</suppress>
<suppress>
<notes><![CDATA[
Make sure to not feed untrusted data into your jlineup config. See https://github.com/FasterXML/jackson-databind/issues/3972
]]></notes>
<packageUrl regex="true">^pkg:maven/.*$</packageUrl>
<cve>CVE-2023-35116</cve>
</suppress>
<suppress>
<notes><![CDATA[
We don't feed janino with user data
]]></notes>
<packageUrl regex="true">^pkg:maven/.*$</packageUrl>
<cve>CVE-2023-33546</cve>
</suppress>
<suppress>
<notes><![CDATA[
GraalVM is not in use
]]></notes>
<packageUrl regex="true">^pkg:maven/.*$</packageUrl>
<cve>CVE-2023-22006</cve>
</suppress>
<suppress>
<!--TODO:remove!-->
<notes><![CDATA[
CVE-2023-38286 is fixed in Thymeleaf 3.1.2, 3.1.1 is still accidentially resolved for one test
]]></notes>
<packageUrl regex="true">^pkg:maven/.*$</packageUrl>
<cve>CVE-2023-38286</cve>
</suppress>
<suppress>
<notes><![CDATA[
Netty does not provide TLS Hostname validation
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.netty/netty-.*@.*$</packageUrl>
<cve>CVE-2023-4586</cve>
</suppress>
</suppressions>