-
Notifications
You must be signed in to change notification settings - Fork 14
/
owasp-dependency-check-suppressions.xml
85 lines (85 loc) · 3.84 KB
/
owasp-dependency-check-suppressions.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress>
<notes>Suppress vulnerabilities for multiple Jetty dependencies</notes>
<packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty/jetty\-.*@.*$</packageUrl>
<cve>CVE-2024-8184</cve>
<cve>CVE-2024-6763</cve>
</suppress>
<suppress>
<cve>CVE-2023-4586</cve>
<cve>CVE-2023-44487</cve>
<cve>CVE-2021-32816</cve>
</suppress>
<suppress until="2024-02-15">
<notes>ion-java-1.0.2.jar (osa aws-java-sdk:ta, ei päivitystä hälytyshetkellä – postponattu
kuukaudella)</notes>
<packageUrl regex="true">^pkg:maven/software\.amazon\.ion/ion\-java@.*$</packageUrl>
<cve>CVE-2024-21634</cve>
</suppress>
<suppress until="2025-07-01Z">
<notes>Medium level issues in the org.apache.xmlbeans:xmlbeans:jar:2.6.0 which is dependency of
org.apache.poi:poi-ooxml:jar:3.17. Ticket for fix https://jira.eduuni.fi/browse/TOR-1373.</notes>
<cve>CVE-2019-12415</cve>
<cve>CVE-2021-23926</cve>
<cve>CVE-2022-26336</cve>
</suppress>
<suppress>
<notes><![CDATA[file name: hosted-git-info:3.0.7. Node not in use: DoS is not possible.]]></notes>
<packageUrl regex="true">^pkg:npm/hosted\-git\-info@.*$</packageUrl>
<vulnerabilityName>1677</vulnerabilityName>
<vulnerabilityName>CVE-2021-23362</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[file name: ini:1.3.5. Node not in use: No file parsing on server.]]></notes>
<packageUrl regex="true">^pkg:npm/ini@.*$</packageUrl>
<vulnerabilityName>1589</vulnerabilityName>
<vulnerabilityName>CWE-471: Modification of Assumed-Immutable Data (MAID)</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[file name: netmask:1.0.6. Node not in use: No input validation in use.]]></notes>
<packageUrl regex="true">^pkg:npm/netmask@.*$</packageUrl>
<vulnerabilityName>1658</vulnerabilityName>
<vulnerabilityName>CWE-20: Improper Input Validation</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[file name: lodash:4.17.20. Node not in use: Command injection is not possible.]]></notes>
<packageUrl regex="true">^pkg:npm/lodash@.*$</packageUrl>
<vulnerabilityName>1673</vulnerabilityName>
<vulnerabilityName>CWE-77: Improper Neutralization of Special Elements used in a Command
('Command Injection')</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[file name: lodash:4.17.20. Dev dependency.]]> </notes>
<packageUrl regex="true">^pkg:npm/lodash@.*$</packageUrl>
<vulnerabilityName>CVE-2020-28500</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[file name: lodash:4.17.20. Dev dependency.]]></notes>
<packageUrl regex="true">^pkg:npm/lodash@.*$</packageUrl>
<vulnerabilityName>CVE-2021-23337</vulnerabilityName>
</suppress>
<suppress until="2023-10-11Z">
<notes>
<![CDATA[ file name: aws-java-sdk-secretsmanager-1.12.148.jar]]> Dependency of
com.amazonaws.secretsmanager:aws-secretsmanager-jdbc, which most probably is not affected by
the vulnerability
</notes>
<packageUrl regex="true">^pkg:maven/com\.amazonaws/aws\-java\-sdk\-secretsmanager@.*$</packageUrl>
<cve>CVE-2022-31159</cve>
</suppress>
<suppress>
<notes>Suppress a false positive in the scalaz-core dependency.</notes>
<packageUrl regex="true">^pkg:maven/org\.scalaz/scalaz\-core_2\.12@.*$</packageUrl>
<cve>CVE-2022-2393</cve>
</suppress>
<suppress>
<notes>
<![CDATA[ file name: guava-31.1-jre.jar]]>
Vulnerable function not in use: com.google.common.io.Files.createTempDir()
Issue in GitHub: https://github.com/google/guava/issues/4011
</notes>
<packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
<cve>CVE-2020-8908</cve>
</suppress>
</suppressions>