forked from helidon-io/helidon
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdependency-check-suppression.xml
More file actions
250 lines (229 loc) · 8.87 KB
/
Copy pathdependency-check-suppression.xml
File metadata and controls
250 lines (229 loc) · 8.87 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<!-- For information see https://jeremylong.github.io/DependencyCheck/general/suppression.html -->
<!-- This CVE is against the etcd server. We use the Java client
-->
<suppress>
<notes><![CDATA[
file name: etcd4j-2.17.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.mousio/etcd4j@.*$</packageUrl>
<cpe>cpe:/a:etcd:etcd</cpe>
</suppress>
<!-- False positive.
This CVE is against the H2 web admin console which we do not use
-->
<suppress>
<notes><![CDATA[
file name: h2-2.1.212.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.h2database/h2@.*$</packageUrl>
<cve>CVE-2022-45868</cve>
</suppress>
<!-- okhttp is a transitive fourth party dependency of Jaeger client. This CVE is considered
by the okhttp team as not exploitable unless the class in question is used
directly by an application (highly unlikely). See https://github.com/square/okhttp/issues/6724
They have only fixed this in 4.9.3 and newer. We can't force upgrade due to a tangle of
dependencies, compatibility, and issues with dependency convergence.
-->
<suppress>
<notes><![CDATA[
file name: okhttp-3.14.9.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.squareup\.okhttp3/okhttp@.*$</packageUrl>
<vulnerabilityName>CVE-2021-0341</vulnerabilityName>
</suppress>
<!-- False Positive. This CVE is against graphql-java, not the microprofile-graphql-api
-->
<suppress>
<notes><![CDATA[
file name: microprofile-graphql-api-2.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.eclipse\.microprofile\.graphql/microprofile\-graphql\-api@.*$</packageUrl>
<cve>CVE-2022-37734</cve>
</suppress>
<!-- False Positive. This CVE is against graphql-java, not graphql-java-dataloader
See https://github.com/jeremylong/DependencyCheck/issues/5641
-->
<suppress>
<notes><![CDATA[
file name: java-dataloader-3.1.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.graphql\-java/java\-dataloader@.*$</packageUrl>
<cve>CVE-2023-28867</cve>
</suppress>
<!-- False Postives. CVE CVE-2022-45129 is against Payara not jakarta.resource-api nor microprofile
-->
<suppress>
<notes><![CDATA[
file name: jakarta.resource-api-2.0.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/jakarta\.resource/jakarta\.resource\-api@.*$</packageUrl>
<cve>CVE-2022-45129</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: microprofile-config-api-3.0.1.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.eclipse\.microprofile\.config/microprofile\-config\-api@.*$</packageUrl>
<cve>CVE-2022-45129</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: microprofile-jwt-auth-api-2.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.eclipse\.microprofile\.jwt/microprofile\-jwt\-auth\-api@.*$</packageUrl>
<cve>CVE-2022-45129</cve>
</suppress>
<!-- False Positive. This CVE is against H2 1.x.
-->
<suppress>
<notes><![CDATA[
file name: h2-2.1.212.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.h2database/h2@.*$</packageUrl>
<vulnerabilityName>CVE-2018-14335</vulnerabilityName>
</suppress>
<!-- This is a low priority CVE against a deprecated method in Guava. We don't use guava directly.
This CVE bounces in and out of being "fixed" in version 30 and later.
-->
<suppress>
<notes><![CDATA[
file name: guava-31.1-jre.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
<vulnerabilityName>CVE-2020-8908</vulnerabilityName>
</suppress>
<!-- False Positive. This CVE is against the Maven plugins listed here:
https://maven.apache.org/security.html
Our dependency is on maven-artifact-manager which is not in this list.
-->
<suppress>
<notes><![CDATA[
file name: maven-artifact-manager-2.2.1.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.maven/maven\-artifact\-manager@.*$</packageUrl>
<vulnerabilityName>CVE-2021-26291</vulnerabilityName>
</suppress>
<!--
This CVE is being disputed by the Jackson project and the community seems in agreement that this
CVE should be rejected. We are suppressing this for now to reduce noise in our scan and will
continue to monitor progress.
https://nvd.nist.gov/vuln/detail/CVE-2023-35116
https://github.com/FasterXML/jackson-databind/issues/3972
-->
<suppress>
<notes><![CDATA[
file name: jackson-databind-2.15.2.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
<cve>CVE-2023-35116</cve>
</suppress>
<!-- False Positive. This does not apply to server Java deployment and certainly not to our use of graalvm SDK.
This vulnerability applies to Java deployments, typically in clients running sandboxed
Java Web Start applications or sandboxed Java applets, that load and run untrusted code
(e.g., code that comes from the internet) and rely on the Java sandbox for security. This
vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code
-->
<suppress>
<notes><![CDATA[
file name: nativeimage-23.1.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.graalvm\.sdk/graal\-sdk@.*$</packageUrl>
<vulnerabilityName>CVE-2023-22006</vulnerabilityName>
</suppress>
<!--
This CVE is is concerning proper use of Netty's hostname verification. Helidon enables hostname
verification by default and therefore this CVE does not apply. Some more info on the CVE here:
https://github.com/jeremylong/DependencyCheck/issues/5912
-->
<suppress>
<notes><![CDATA[
file name: netty-handler-4.1.94.Final.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.netty/netty\-.*@.*$</packageUrl>
<vulnerabilityName>CVE-2023-4586</vulnerabilityName>
</suppress>
<!--
This is a FP. We have upgrade jgit to a fixed version, but it is still getting flagged.
Probably due to the funky version string used by jgit. See
https://github.com/jeremylong/DependencyCheck/issues/5943
-->
<suppress>
<notes><![CDATA[
file name: org.eclipse.jgit-6.7.0.202309050840-r.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.eclipse\.jgit/org\.eclipse\.jgit@.*$</packageUrl>
<cve>CVE-2023-4759</cve>
</suppress>
<!--
These are FPs.
See https://github.com/jeremylong/DependencyCheck/issues/5973
-->
<suppress>
<packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus\-(cipher|classworlds|component-annotations|interpolation|container-default|sec-dispatcher)@.*$</packageUrl>
<cve>CVE-2022-4244</cve>
<cve>CVE-2022-4245</cve>
</suppress>
<!--
False Positives. These CVEs are against the Brave web browser, not brave-opentracing.
-->
<suppress>
<notes><![CDATA[
file name: brave-opentracing-1.0.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.opentracing\.brave/brave\-opentracing@.*$</packageUrl>
<cve>CVE-2022-47932</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: brave-opentracing-1.0.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.opentracing\.brave/brave\-opentracing@.*$</packageUrl>
<cve>CVE-2022-47933</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: brave-opentracing-1.0.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.opentracing\.brave/brave\-opentracing@.*$</packageUrl>
<cve>CVE-2022-47934</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: brave-opentracing-1.0.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.opentracing\.brave/brave\-opentracing@.*$</packageUrl>
<cve>CVE-2021-22929</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: brave-opentracing-1.0.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.opentracing\.brave/brave\-opentracing@.*$</packageUrl>
<cve>CVE-2022-30334</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: brave-opentracing-1.0.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.opentracing\.brave/brave\-opentracing@.*$</packageUrl>
<cve>CVE-2023-28360</cve>
</suppress>
<!-- False Positives. This was identifying Helidon's dbclient mongodb support artifact with MongoDB itself -->
<suppress>
<notes><![CDATA[
file name: io.helidon.dbclient:helidon-dbclient-mongodb:4.0.0-SNAPSHOT
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.helidon\.dbclient/helidon\-dbclient\-mongodb@.*$</packageUrl>
<cpe>cpe:/a:mongodb:mongodb</cpe>
</suppress>
<!-- False Positives. This was identifying Helidon's mysql support artifact with MySQL itself -->
<suppress>
<notes><![CDATA[
file name: io.helidon.integrations.db:helidon-integrations-db-mysql:4.0.0-SNAPSHOT
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.helidon\.integrations\.db/helidon\-integrations\-db\-mysql@.*$</packageUrl>
<cpe>cpe:/a:mysql:mysql</cpe>
</suppress>
</suppressions>