-
Notifications
You must be signed in to change notification settings - Fork 5
/
suppressions.xml
163 lines (163 loc) · 6.72 KB
/
suppressions.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress until="2025-01-16Z">
<notes><![CDATA[
file name: okio-jvm-2.10.0.jar
sev: HIGH
reason: This is a dependency of the release plugin in use and is not used in production where it would be vulnerable to the attack vector.
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.squareup\.okio/okio@.*$</packageUrl>
<cve>CVE-2023-3635</cve>
</suppress>
<suppress until="2025-01-16Z">
<notes><![CDATA[
sev: HIGH
file name: rewrite-core-8.13.0-SNAPSHOT.jar (shaded: org.eclipse.jgit:org.eclipse.jgit:5.13.2.202306221912-r)
Reason: False positive. We are using the latest jgit version. The checker is picking up erroneous version from a pom.xml file.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.eclipse\.jgit/org\.eclipse\.jgit@.*$</packageUrl>
<vulnerabilityName>CVE-2023-4759</vulnerabilityName>
</suppress>
<suppress until="2025-01-16">
<notes><![CDATA[
file name: rewrite-gradle-8.13.0-SNAPSHOT.jar: gradle-testing-base-6.1.1.jar, gradle-testing-jvm-6.1.1.jar, gradle-resources-6.1.1.jar, gradle-messaging-6.1.1.jar, gradle-logging-6.1.1.jar, gradle-native-6.1.1.jar, gradle-core-api-6.1.1.jar
sev: HIGH
reason: This is a false positive. The vulnerability is in the Gradle 7.6.2 and 8.2 and these are gradle core api's
]]></notes>
<filePath regex="true">
.*META-INF\/rewrite\/classpath\/gradle.*6\.1\.1\.jar
</filePath>
<cve>CVE-2023-35947</cve>
<cve>CVE-2021-29428</cve>
<cve>CVE-2020-11979</cve>
<cve>CVE-2021-32751</cve>
<cve>CVE-2021-29427</cve>
</suppress>
<suppress until="2025-01-16Z">
<notes><![CDATA[
sev: CRITICAL
file name: rewrite-gradle-8.13.0-SNAPSHOT.jar: gradle-enterprise-gradle-plugin-3.16.1.jar
Reason: False positive. We are using the latest gradle-enterprise-gradle-plugin version.
]]></notes>
<filePath regex="true">
.*META-INF\/rewrite\/classpath\/gradle-enterprise-gradle-plugin-.*.jar
</filePath>
<cve>CVE-2019-11402</cve>
<cve>CVE-2019-11403</cve>
<cve>CVE-2019-15052</cve>
<cve>CVE-2020-11979</cve>
<cve>CVE-2021-29428</cve>
<cve>CVE-2021-32751</cve>
<cve>CVE-2021-41589</cve>
<cve>CVE-2022-25364</cve>
<cve>CVE-2022-30587</cve>
<cve>CVE-2023-35947</cve>
<cve>CVE-2023-49238</cve>
</suppress>
<suppress until="2025-03-28Z">
<notes><![CDATA[
file name: spring-asm-3.1.3.RELEASE.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework/spring\-asm@.*$</packageUrl>
<cve>CVE-2022-22965</cve>
<cve>CVE-2018-1270</cve>
<cve>CVE-2014-0225</cve>
<cve>CVE-2016-9878</cve>
<cve>CVE-2018-11040</cve>
<cve>CVE-2013-4152</cve>
<cve>CVE-2013-6429</cve>
<cve>CVE-2013-7315</cve>
<cve>CVE-2014-0054</cve>
<cve>CVE-2018-1257</cve>
<cve>CVE-2020-5421</cve>
<cve>CVE-2022-22950</cve>
<cve>CVE-2023-20861</cve>
<cve>CVE-2018-11039</cve>
<cve>CVE-2013-6430</cve>
<cve>CVE-2022-22968</cve>
<cve>CVE-2022-22970</cve>
<cve>CVE-2014-3625</cve>
<cve>CVE-2014-1904</cve>
</suppress>
<suppress until="2025-03-28Z">
<notes><![CDATA[
file name: spring-core-3.1.3.RELEASE.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework/spring\-core@.*$</packageUrl>
<cve>CVE-2018-1270</cve>
<cve>CVE-2022-22965</cve>
<cve>CVE-2014-0225</cve>
<cve>CVE-2016-9878</cve>
<cve>CVE-2018-11040</cve>
<cve>CVE-2013-4152</cve>
<cve>CVE-2013-6429</cve>
<cve>CVE-2013-7315</cve>
<cve>CVE-2014-0054</cve>
<cve>CVE-2018-1257</cve>
<cve>CVE-2020-5421</cve>
<cve>CVE-2022-22950</cve>
<cve>CVE-2023-20861</cve>
<cve>CVE-2018-11039</cve>
<cve>CVE-2013-6430</cve>
<cve>CVE-2022-22968</cve>
<cve>CVE-2022-22970</cve>
<cve>CVE-2014-3625</cve>
<cve>CVE-2014-1904</cve>
</suppress>
<suppress until="2025-03-28Z">
<notes><![CDATA[
sev: HIGH
file name: plexus-interpolation-1.14.jar
reason: brought in by license-gradle-plugin which is the latest version. Used only in build time.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus\-interpolation@.*$</packageUrl>
<cve>CVE-2022-4244</cve>
<cve>CVE-2022-4245</cve>
</suppress>
<suppress until="2025-03-28Z">
<notes><![CDATA[
sev: HIGH
file name: plexus-component-annotations-1.5.5.jar
reason: brought in by license-gradle-plugin which is the latest version. Used only in build time.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus\-component\-annotations@.*$</packageUrl>
<cve>CVE-2022-4244</cve>
<cve>CVE-2022-4245</cve>
</suppress>
<suppress until="2025-01-16Z">
<notes><![CDATA[
sec: HIGH
file name: bcprov-jdk18on-1.71.jar
reason: Vulnerability is currently waiting analysis and transitive dependencies have not upgraded.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.bouncycastle/bcprov\-jdk18on@.*$</packageUrl>
<cve>CVE-2024-34447</cve>
<cve>CVE-2024-30172</cve>
<cve>CVE-2024-30171</cve>
<cve>CVE-2024-29857</cve>
<cve>CVE-2023-33202</cve>
<cve>CVE-2023-33201</cve>
</suppress>
<suppress until="2025-01-16Z">
<notes><![CDATA[
file name: javax.json-1.1.4.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.glassfish/javax\.json@.*$</packageUrl>
<vulnerabilityName>CVE-2023-7272</vulnerabilityName>
</suppress>
<suppress until="2025-01-16Z">
<notes><![CDATA[
file name: lucene-analyzers-common-8.11.3.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.lucene/lucene-.*@.*$</packageUrl>
<vulnerabilityName>CVE-2024-47554</vulnerabilityName>
<vulnerabilityName>CVE-2024-45772</vulnerabilityName>
</suppress>
<suppress until="2025-01-16Z">
<notes><![CDATA[
file name: shadow-8.0.0.jar (shaded: commons-io:commons-io:2.11.0)
]]></notes>
<packageUrl regex="true">^pkg:maven/commons-io/commons-io@.*$</packageUrl>
<vulnerabilityName>CVE-2024-47554</vulnerabilityName>
</suppress>
</suppressions>