forked from helidon-io/helidon
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdependency-check-suppression.xml
More file actions
191 lines (175 loc) · 6.69 KB
/
Copy pathdependency-check-suppression.xml
File metadata and controls
191 lines (175 loc) · 6.69 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<!-- For information see https://jeremylong.github.io/DependencyCheck/general/suppression.html -->
<!-- Applies to Processing:Processing -->
<suppress>
<notes><![CDATA[
file name: jsonp-jaxrs-1.1.6.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.glassfish/jsonp\-jaxrs@.*$</packageUrl>
<cpe>cpe:/a:processing:processing</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: jakarta.json-api-1.1.6.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/jakarta\.json/jakarta\.json\-api@.*$</packageUrl>
<cpe>cpe:/a:processing:processing</cpe>
</suppress>
<!-- This CVE is against the etcd server. We ship a Java client -->
<suppress>
<notes><![CDATA[
file name: etcd4j-2.17.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.mousio/etcd4j@.*$</packageUrl>
<cpe>cpe:/a:etcd:etcd</cpe>
</suppress>
<!-- This CVE is against the Java Websocket project. Not the Jakarta WebSocket API.
See https://github.com/TooTallNate/Java-WebSocket/security/advisories/GHSA-gw55-jm4h-x339
-->
<suppress>
<notes><![CDATA[
file name: jakarta.websocket-api-1.1.2.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/jakarta\.websocket/jakarta\.websocket\-api@.*$</packageUrl>
<cpe>cpe:/a:java-websocket_project:java-websocket</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: javax.websocket-api-1.1.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/javax\.websocket/javax\.websocket\-api@.*$</packageUrl>
<cpe>cpe:/a:java-websocket_project:java-websocket</cpe>
</suppress>
<!-- GraalVM -->
<!-- This suppresses multiple CVEs related to running untrusted Java code.
The descriptions of these CVEs have the statement:
This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code"
Therefore these do not apply to Helidon's use of GraalVM
-->
<suppress>
<notes><![CDATA[
file name: graal-sdk-21.3.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.graalvm.*/.*@.*$</packageUrl>
<cve>CVE-2021-2341</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: graal-sdk-21.3.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.graalvm.*/.*@.*$</packageUrl>
<cve>CVE-2021-2369</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: graal-sdk-21.3.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.graalvm.*/.*@.*$</packageUrl>
<cve>CVE-2021-2388</cve>
</suppress>
<!-- junit 4 -->
<!-- This CVE is fixed in junit 4.13.1 and only applies when using Java 1.6
or earlier. We use version 4.13.1 and require Java 11 or above
so this CVE does not apply -->
<suppress>
<notes><![CDATA[
file name: junit-4.13.1.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/junit/junit@.*$</packageUrl>
<vulnerabilityName>CVE-2020-15250</vulnerabilityName>
</suppress>
<!-- grpc -->
<!-- This was applying the version of opentracing-grpc to grpc
which triggered CVEs for older versions of grpc and grpc-js
-->
<suppress>
<notes><![CDATA[
file name: opentracing-grpc-0.2.1.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.opentracing\.contrib/opentracing\-grpc@.*$</packageUrl>
<cpe>cpe:/a:grpc:grpc</cpe>
</suppress>
<!-- Apache HttpClient / Google HTTP Client -->
<!-- This was associating the Google HTTP client version number to Apache HttpClient generating a false positive for
an Apache HttpClient CVE for versions 4.5.12 and earlier (we use 4.5.13 in Helidon).
-->
<suppress>
<notes><![CDATA[
file name: google-http-client-apache-v2-1.40.1.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.google\.http\-client/google\-http\-client\-apache\-v2@.*$</packageUrl>
<cve>CVE-2020-13956</cve>
</suppress>
<!-- This CVE is against Neo4j through 3.4.18. We use Neo4j 4.2.4
Helidon's Neo4j integration triggered a false positive due to it's
version being < 3.4.18
-->
<suppress>
<notes><![CDATA[
file name: io.helidon.integrations.neo4j:helidon-integrations-neo4j:2.4.0-SNAPSHOT
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.helidon\.integrations\.neo4j/helidon\-integrations\-neo4j@.*$</packageUrl>
<cve>CVE-2021-34371</cve>
</suppress>
<!-- The Neo4j java driver contains a shaded copy of a couple of Netty artifacts.
This CVE is against netty-codec-http2 which is not included in the Neo4j driver.
-->
<suppress>
<notes><![CDATA[
file name: neo4j-java-driver-4.2.4.jar (shaded: io.netty:netty-transport:4.1.60.Final)
]]></notes>
<filePath regex="true">.*/neo4j\-java\-driver\-4\.2\.4\.jar.*</filePath>
<cve>CVE-2021-21409</cve>
</suppress>
<!-- This CVE was fixed in the EL implementations com.sun.el:el-ri:3.0.4 and org.glassfish:jakarta.el:3.0.4
which we have upgraded to. But the scan triggers a false positive on the API: jakarta.el:jakarta.el-api:3.0.3 -->
<suppress>
<notes><![CDATA[
file name: jakarta.el-api-3.0.3.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/jakarta\.el/jakarta\.el\-api@.*$</packageUrl>
<cve>CVE-2021-28170</cve>
</suppress>
<!-- These files are being detected as an old version of Netty and raises false positives for
a number of old Netty CVEs.
-->
<suppress>
<notes><![CDATA[
file name: netty-incubator-transport-native-io_uring-0.0.8.Final-linux-x86_64.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.netty\.incubator/netty\-incubator\-transport\-native\-io_uring@.*$</packageUrl>
<cpe>cpe:/a:netty:netty</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: netty-tcnative-classes-2.0.46.Final.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.netty/netty\-tcnative\-classes@.*$</packageUrl>
<cpe>cpe:/a:netty:netty</cpe>
</suppress>
<!-- These are old CVEs related to config components of Eclipse IDE and Jenkins. They are generating
false positive for MicroProfile Config
-->
<suppress>
<notes><![CDATA[
file name: microprofile-config-api-3.0-RC5.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.eclipse\.microprofile\.config/microprofile\-config\-api@.*$</packageUrl>
<cve>CVE-2008-7271</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: microprofile-config-api-3.0-RC5.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.eclipse\.microprofile\.config/microprofile\-config\-api@.*$</packageUrl>
<cve>CVE-2010-4647</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: microprofile-config-api-3.0-RC5.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.eclipse\.microprofile\.config/microprofile\-config\-api@.*$</packageUrl>
<cve>CVE-2018-1000413</cve>
</suppress>
</suppressions>