-
Notifications
You must be signed in to change notification settings - Fork 133
/
suppression.xml
68 lines (68 loc) · 3.37 KB
/
suppression.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
<?xml version="1.0" encoding="UTF-8"?>
<!-- SPDX-FileCopyrightText: 2018-2022 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors -->
<!-- SPDX-License-Identifier: Apache-2.0 -->
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress>
<notes><![CDATA[
suppresses CVE-2023-5072 as it has been fixed by the latest release 20231013 https://nvd.nist.gov/vuln/detail/CVE-2023-5072
file name: json-20231013.jar
]]>
</notes>
<packageUrl regex="true">^pkg:maven/org\.json/json@.*$</packageUrl>
<vulnerabilityName>CVE-2023-5072</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
suppresses CVE-2022-45688 as the affected method is not called by code of this project.
added a test to https://github.com/SAP/cloud-security-xsuaa-integration/blob/main/env/src/test/java/com/sap/cloud/security/json/DefaultJsonObjectTest.java#L225 to check for vulnerability.
file name: json-20220924.jar
]]>
</notes>
<packageUrl regex="true">^pkg:maven/org\.json/json@.*$</packageUrl>
<vulnerabilityName>CVE-2022-45688</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
suppresses CVE-2022-1471 according to https://github.com/spring-projects/spring-boot/issues/33457 spring does not use the affected constructor,
it uses SafeConstructor and only for application.yaml file parsing, therefore it's a false positive
file name: snakeyaml-1.30.jar
]]>
</notes>
<packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
<cve>CVE-2022-1471</cve>
<cve>CVE-2022-25857</cve>
</suppress>
<suppress>
<notes><![CDATA[
This suppresses CVE-2018-1258 which is necessary because of a bug in the dependency-check plugin itself
and needs to be active until it is resolved: https://github.com/jeremylong/DependencyCheck/issues/1827
]]></notes>
<cve>CVE-2018-1258</cve>
</suppress>
<suppress>
<notes><![CDATA[
It's only relevant for AWS log4j patches]]>
</notes>
<cve>CVE-2022-33915</cve>
</suppress>
<suppress>
<notes><![CDATA[Ignored as vulnerable classes of ^HttpInvoker* are not used in the project]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework/spring\-*.*$</packageUrl>
<cve>CVE-2016-1000027</cve>
</suppress>
<suppress>
<notes><![CDATA[
spring-boot-starter-security-2.7.0.jar is flagged as vulnerable, but the vulnerability is relevant for Spring Security versions below 5.5.7 and 5.6.4
Ignored as spring-security 5.7.1 is used which has fix for CVE-2022-22978 https://spring.io/blog/2022/05/15/spring-security-5-7-0-5-6-4-5-5-7-released-fixes-cve-2022-22978-cve-2022-22976
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.boot/spring\-boot\-starter\-security@.*$</packageUrl>
<cve>CVE-2022-22978</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: jakarta.annotation-api-1.3.5.jar False positive https://github.com/jeremylong/DependencyCheck/issues/4671
]]></notes>
<packageUrl regex="true">^pkg:maven/jakarta\.annotation/jakarta\.annotation\-api@.*$</packageUrl>
<cve>CVE-2022-31569</cve>
</suppress>
</suppressions>