forked from helidon-io/helidon
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdependency-check-suppression.xml
More file actions
188 lines (175 loc) · 6.42 KB
/
Copy pathdependency-check-suppression.xml
File metadata and controls
188 lines (175 loc) · 6.42 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<!-- For information see https://jeremylong.github.io/DependencyCheck/general/suppression.html -->
<!-- False positive.
This CVE is against the H2 web admin console which we do not use
-->
<suppress>
<notes><![CDATA[
file name: h2-2.1.212.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.h2database/h2@.*$</packageUrl>
<cve>CVE-2022-45868</cve>
</suppress>
<!-- False Positive. This CVE is against H2 1.x.
-->
<suppress>
<notes><![CDATA[
file name: h2-2.1.212.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.h2database/h2@.*$</packageUrl>
<vulnerabilityName>CVE-2018-14335</vulnerabilityName>
</suppress>
<!-- False Positive. This CVE is against the Maven plugins listed here:
https://maven.apache.org/security.html
Our dependency is on maven-artifact-manager which is not in this list.
-->
<suppress>
<notes><![CDATA[
file name: maven-artifact-manager-2.2.1.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.maven/maven\-artifact\-manager@.*$</packageUrl>
<vulnerabilityName>CVE-2021-26291</vulnerabilityName>
</suppress>
<!-- False Positive. This does not apply to server Java deployment and certainly not to our use of graalvm SDK.
This vulnerability applies to Java deployments, typically in clients running sandboxed
Java Web Start applications or sandboxed Java applets, that load and run untrusted code
(e.g., code that comes from the internet) and rely on the Java sandbox for security. This
vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code
-->
<suppress>
<notes><![CDATA[
file name: nativeimage-23.1.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.graalvm\.sdk/graal\-sdk@.*$</packageUrl>
<vulnerabilityName>CVE-2023-22006</vulnerabilityName>
</suppress>
<!-- This low priority CVE does not apply to our use of the graalvm compiler.
-->
<suppress>
<notes><![CDATA[
file name: compiler-23.1.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.graalvm\.compiler/compiler@.*$</packageUrl>
<vulnerabilityName>CVE-2024-21138</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
file name: compiler-23.1.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.graalvm\.compiler/compiler@.*$</packageUrl>
<vulnerabilityName>CVE-2024-21235</vulnerabilityName>
</suppress>
<!--
These are FPs.
See https://github.com/jeremylong/DependencyCheck/issues/5973
-->
<suppress>
<packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus\-(cipher|classworlds|component-annotations|interpolation|container-default|sec-dispatcher)@.*$</packageUrl>
<cve>CVE-2022-4244</cve>
<cve>CVE-2022-4245</cve>
</suppress>
<!--
False Positives. These CVEs are against the Brave web browser, not brave-opentracing.
-->
<suppress>
<notes><![CDATA[
file name: brave-opentracing-1.0.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.opentracing\.brave/brave\-opentracing@.*$</packageUrl>
<cve>CVE-2022-47932</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: brave-opentracing-1.0.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.opentracing\.brave/brave\-opentracing@.*$</packageUrl>
<cve>CVE-2022-47933</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: brave-opentracing-1.0.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.opentracing\.brave/brave\-opentracing@.*$</packageUrl>
<cve>CVE-2022-47934</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: brave-opentracing-1.0.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.opentracing\.brave/brave\-opentracing@.*$</packageUrl>
<cve>CVE-2021-22929</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: brave-opentracing-1.0.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.opentracing\.brave/brave\-opentracing@.*$</packageUrl>
<cve>CVE-2022-30334</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: brave-opentracing-1.0.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.opentracing\.brave/brave\-opentracing@.*$</packageUrl>
<cve>CVE-2023-28360</cve>
</suppress>
<!-- False Positives. This was identifying Helidon's dbclient mongodb support artifact with MongoDB itself
-->
<suppress>
<notes><![CDATA[
file name: io.helidon.dbclient:helidon-dbclient-mongodb:4.0.0-SNAPSHOT
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.helidon\.dbclient/helidon\-dbclient\-mongodb@.*$</packageUrl>
<cpe>cpe:/a:mongodb:mongodb</cpe>
</suppress>
<!-- False Positive.
This is against an old version of prometheusa (not prometheus metrics nor micrometer)
-->
<suppress>
<notes><![CDATA[
file name: micrometer-registry-prometheus-simpleclient-1.13.4.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.micrometer/micrometer-registry-prometheus-simpleclient@.*$</packageUrl>
<cve>CVE-2019-3826</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: prometheus-metrics-core-1.2.1.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.prometheus/prometheus-metrics-(.*)@.*$</packageUrl>
<cve>CVE-2019-3826</cve>
</suppress>
<!-- False Positives.
This CVE is against the XML Database component of Oracle Database Server.
The below are client libraries for XML and XML JDBC support.
-->
<suppress>
<notes><![CDATA[
file name: xdb-23.6.0.24.10.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.oracle\.database\.xml/xdb@.*$</packageUrl>
<cve>CVE-2025-30694</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: xmlparserv2_sans_jaxp_services-23.6.0.24.10.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.oracle\.database\.xml/xmlparserv2_sans_jaxp_services@.*$</packageUrl>
<cve>CVE-2025-30694</cve>
</suppress>
<!--
This CVE is old and was fixed in Kotlin 1.4.21. The CPE recently changed in NVD.
Will keep an eye on this to see if the CPE in NVD is bad, or if there is something new.
-->
<suppress>
<notes><![CDATA[
file name: kotlin-stdlib-1.9.10.jar
file name: kotlin-stdlib-jdk7-1.9.10.jar
file name: kotlin-stdlib-jdk8-1.9.10.jar
file name: kotlin-stdlib-common-1.9.10.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.jetbrains\.kotlin/kotlin-stdlib.*$</packageUrl>
<cve>CVE-2020-29582</cve>
</suppress>
</suppressions>