|
2 | 2 | <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd"> |
3 | 3 | <!-- For information see https://jeremylong.github.io/DependencyCheck/general/suppression.html --> |
4 | 4 |
|
5 | | -<!-- This CVE is against the etcd server. We ship a Java client |
| 5 | +<!-- This CVE is against the etcd server. We use the Java client |
6 | 6 | --> |
7 | 7 | <suppress> |
8 | 8 | <notes><![CDATA[ |
|
197 | 197 | <cve>CVE-2022-25647</cve> |
198 | 198 | </suppress> |
199 | 199 |
|
| 200 | +<!-- False positive. This CVE is against Go-Yaml, a project we do not use. |
| 201 | + Scanner mistakenly identifies Helidon's Yaml support as Go-Yaml v3. |
| 202 | +--> |
| 203 | +<suppress> |
| 204 | + <notes><![CDATA[ |
| 205 | + file name: io.helidon.config:helidon-config-yaml-mp:3.0.0-SNAPSHOT |
| 206 | + ]]></notes> |
| 207 | + <packageUrl regex="true">^pkg:maven/io\.helidon\.config/helidon\-config\-yaml\-mp@.*$</packageUrl> |
| 208 | + <cve>CVE-2022-28948</cve> |
| 209 | +</suppress> |
| 210 | +<suppress> |
| 211 | + <notes><![CDATA[ |
| 212 | + file name: io.helidon.config:helidon-config-yaml:3.0.0-SNAPSHOT |
| 213 | + ]]></notes> |
| 214 | + <packageUrl regex="true">^pkg:maven/io\.helidon\.config/helidon\-config\-yaml@.*$</packageUrl> |
| 215 | + <cve>CVE-2022-28948</cve> |
| 216 | +</suppress> |
| 217 | + |
| 218 | +<!-- False positive. This CVE was against an older version of H2. See |
| 219 | + https://github.com/jeremylong/DependencyCheck/issues/4555 |
| 220 | +--> |
| 221 | +<suppress> |
| 222 | + <notes><![CDATA[ |
| 223 | + file name: h2-2.0.206.jar |
| 224 | + ]]></notes> |
| 225 | + <packageUrl regex="true">^pkg:maven/com\.h2database/h2@.*$</packageUrl> |
| 226 | + <vulnerabilityName>CVE-2018-14335</vulnerabilityName> |
| 227 | +</suppress> |
| 228 | + |
| 229 | +<!-- This CVE is against micronaut's Content Type header parsing. We never use micronaut classes |
| 230 | + to parse the Content Type header. So this is N/A in our use of micronaut (for micronaut data). |
| 231 | +--> |
| 232 | +<suppress> |
| 233 | + <notes><![CDATA[ |
| 234 | + file name: micronaut-core-3.1.3.jar |
| 235 | + ]]></notes> |
| 236 | + <packageUrl regex="true">^pkg:maven/io\.micronaut/micronaut\-core@.*$</packageUrl> |
| 237 | + <vulnerabilityName>CVE-2022-21700</vulnerabilityName> |
| 238 | +</suppress> |
| 239 | + |
| 240 | +<!-- okhttp is a transitive fourth party dependency of Jaeger client. This CVE is considered |
| 241 | + by the okhttp team as not exploitable unless the class in question is used |
| 242 | + directly by an application (highly unlikely). See https://github.com/square/okhttp/issues/6724 |
| 243 | + They have only fixed this in 4.9.3 and newer. We can't force upgrade due to a tangle of |
| 244 | + dependencies, compatibility, and issues with dependency convergence. |
| 245 | +--> |
| 246 | +<suppress> |
| 247 | + <notes><![CDATA[ |
| 248 | + file name: okhttp-3.14.9.jar |
| 249 | + ]]></notes> |
| 250 | + <packageUrl regex="true">^pkg:maven/com\.squareup\.okhttp3/okhttp@.*$</packageUrl> |
| 251 | + <vulnerabilityName>CVE-2021-0341</vulnerabilityName> |
| 252 | +</suppress> |
200 | 253 |
|
201 | 254 |
|
202 | 255 | </suppressions> |
0 commit comments