forked from Consensys/web3signer
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
build - suppress unrelated owasp warnings and update azure libraries (C…
- Loading branch information
1 parent
16d301c
commit 2560b0c
Showing
3 changed files
with
6 additions
and
20 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,40 +1,26 @@ | ||
<?xml version="1.0" encoding="UTF-8"?> | ||
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd"> | ||
<!-- See https://jeremylong.github.io/DependencyCheck/general/suppression.html for examples --> | ||
<suppress until="2024-03-16"> | ||
<suppress until="2024-06-16"> | ||
<notes><![CDATA[ | ||
Suppress CVE-2023-36415 as this should only be applicable on version up to but excluding 1.10.2. | ||
https://github.com/jeremylong/DependencyCheck/issues/5992 | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/com\.azure/azure\-identity@1\.11\.[1-9]$</packageUrl> | ||
<vulnerabilityName>CVE-2023-36415</vulnerabilityName> | ||
</suppress> | ||
<suppress> | ||
<notes><![CDATA[ | ||
Suppress CVE-2023-3782 as Web3Signer doesn't use brotli and the NVD is incorrectly applying against all okhttp packages instead of just brotli one. See discussion in https://github.com/square/okhttp/issues/7738 | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/com\.squareup\.okhttp3/.*$</packageUrl> | ||
<cve>CVE-2023-3782</cve> | ||
</suppress> | ||
<suppress until="2024-03-16"> | ||
<suppress until="2024-06-16"> | ||
<notes><![CDATA[ | ||
FP per issue #6100 - CVE-2023-36052 since it is related to Azure-cli not to the azure-core libraries | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/com\.azure/azure*@*.*$</packageUrl> | ||
<cve>CVE-2023-36052</cve> | ||
</suppress> | ||
<suppress until="2024-03-16"> | ||
<suppress until="2024-06-16"> | ||
<notes><![CDATA[ | ||
CVE relates to attach on gRPC servers (not clients) and is dependent on the Netty version used | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/io\.grpc/grpc\-.*$</packageUrl> | ||
<cve>CVE-2023-44487</cve> | ||
</suppress> | ||
<suppress until="2024-03-16"> | ||
<notes><![CDATA[ | ||
CVE relates to usage hostname verification when using TLS and doesn't apply as we use Tuweni for this | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/io\.vertx/vertx\-core@.*$</packageUrl> | ||
<cve>CVE-2023-4586</cve> | ||
</suppress> | ||
</suppressions> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters