forked from helidon-io/helidon
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdependency-check-suppression.xml
More file actions
297 lines (276 loc) · 10 KB
/
Copy pathdependency-check-suppression.xml
File metadata and controls
297 lines (276 loc) · 10 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<!-- For information see https://jeremylong.github.io/DependencyCheck/general/suppression.html -->
<!-- False Positive. This CVE is against neo4j not neo4j bolt
-->
<suppress>
<notes><![CDATA[
file name: neo4j-bolt-connection-1.0.0.jar
file name: neo4j-bolt-connection-netty-1.0.0.jar
file name: neo4j-bolt-connection-pooled-1.0.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.neo4j\.bolt/neo4j-bolt-.*@.*$</packageUrl>
<cve>CVE-2021-34371</cve>
</suppress>
<!-- False Positive
This CVE is against the GlassFish application server, but is mistakenly being
identified in various org.glassfish artifacts
https://github.com/jeremylong/DependencyCheck/issues/7021
https://github.com/jeremylong/DependencyCheck/issues/7020
https://github.com/jeremylong/DependencyCheck/issues/7019
-->
<suppress>
<notes><![CDATA[
file name: jakarta.el-4.0.2.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.glassfish.*/(jakarta\.el|jaxb-core|jaxb-runtime|osgi-resource-locator|txw2)@.*$</packageUrl>
<cve>CVE-2024-9329</cve>
</suppress>
<!-- This CVE is against the etcd server. We use the Java client
-->
<suppress>
<notes><![CDATA[
file name: etcd4j-2.17.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.mousio/etcd4j@.*$</packageUrl>
<cpe>cpe:/a:etcd:etcd</cpe>
</suppress>
<!-- False positive.
This CVE is against the H2 web admin console which we do not use
-->
<suppress>
<notes><![CDATA[
file name: h2-2.1.212.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.h2database/h2@.*$</packageUrl>
<cve>CVE-2022-45868</cve>
</suppress>
<!-- False Positive. This CVE is against H2 1.x.
-->
<suppress>
<notes><![CDATA[
file name: h2-2.1.212.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.h2database/h2@.*$</packageUrl>
<vulnerabilityName>CVE-2018-14335</vulnerabilityName>
</suppress>
<!-- False Positive. This CVE is against the Maven plugins listed here:
https://maven.apache.org/security.html
Our dependency is on maven-artifact-manager which is not in this list.
-->
<suppress>
<notes><![CDATA[
file name: maven-artifact-manager-2.2.1.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.maven/maven\-artifact\-manager@.*$</packageUrl>
<vulnerabilityName>CVE-2021-26291</vulnerabilityName>
</suppress>
<!-- False Positive. This does not apply to server Java deployment and certainly not to our use of graalvm SDK.
This vulnerability applies to Java deployments, typically in clients running sandboxed
Java Web Start applications or sandboxed Java applets, that load and run untrusted code
(e.g., code that comes from the internet) and rely on the Java sandbox for security. This
vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code
-->
<suppress>
<notes><![CDATA[
file name: nativeimage-23.1.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.graalvm\.sdk/graal\-sdk@.*$</packageUrl>
<vulnerabilityName>CVE-2023-22006</vulnerabilityName>
</suppress>
<!-- This low priority CVE does not apply to our use of the graalvm compiler.
-->
<suppress>
<notes><![CDATA[
file name: compiler-23.1.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.graalvm\.compiler/compiler@.*$</packageUrl>
<vulnerabilityName>CVE-2024-21138</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
file name: compiler-23.1.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.graalvm\.compiler/compiler@.*$</packageUrl>
<vulnerabilityName>CVE-2024-21235</vulnerabilityName>
</suppress>
<!--
This is a FP. We have upgrade jgit to a fixed version, but it is still getting flagged.
Probably due to the funky version string used by jgit. See
https://github.com/jeremylong/DependencyCheck/issues/5943
-->
<suppress>
<notes><![CDATA[
file name: org.eclipse.jgit-6.7.0.202309050840-r.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.eclipse\.jgit/org\.eclipse\.jgit@.*$</packageUrl>
<cve>CVE-2023-4759</cve>
</suppress>
<!--
These are FPs.
See https://github.com/jeremylong/DependencyCheck/issues/5973
-->
<suppress>
<packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus\-(cipher|classworlds|component-annotations|interpolation|container-default|sec-dispatcher)@.*$</packageUrl>
<cve>CVE-2022-4244</cve>
<cve>CVE-2022-4245</cve>
</suppress>
<!--
False Positives. These CVEs are against the Brave web browser, not brave-opentracing.
-->
<suppress>
<notes><![CDATA[
file name: brave-opentracing-1.0.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.opentracing\.brave/brave\-opentracing@.*$</packageUrl>
<cve>CVE-2022-47932</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: brave-opentracing-1.0.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.opentracing\.brave/brave\-opentracing@.*$</packageUrl>
<cve>CVE-2022-47933</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: brave-opentracing-1.0.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.opentracing\.brave/brave\-opentracing@.*$</packageUrl>
<cve>CVE-2022-47934</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: brave-opentracing-1.0.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.opentracing\.brave/brave\-opentracing@.*$</packageUrl>
<cve>CVE-2021-22929</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: brave-opentracing-1.0.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.opentracing\.brave/brave\-opentracing@.*$</packageUrl>
<cve>CVE-2022-30334</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: brave-opentracing-1.0.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.opentracing\.brave/brave\-opentracing@.*$</packageUrl>
<cve>CVE-2023-28360</cve>
</suppress>
<!-- False Positives. This was identifying Helidon's dbclient mongodb support artifact with MongoDB itself
-->
<suppress>
<notes><![CDATA[
file name: io.helidon.dbclient:helidon-dbclient-mongodb:4.0.0-SNAPSHOT
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.helidon\.dbclient/helidon\-dbclient\-mongodb@.*$</packageUrl>
<cpe>cpe:/a:mongodb:mongodb</cpe>
</suppress>
<!-- False Positives. This was identifying Helidon's mysql support artifact with MySQL itself
-->
<suppress>
<notes><![CDATA[
file name: io.helidon.integrations.db:helidon-integrations-db-mysql:4.0.0-SNAPSHOT
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.helidon\.integrations\.db/helidon\-integrations\-db\-mysql@.*$</packageUrl>
<cpe>cpe:/a:mysql:mysql</cpe>
</suppress>
<!-- False Positive.
This is against an old version of prometheusa (not prometheus metrics nor micrometer)
-->
<suppress>
<notes><![CDATA[
file name: micrometer-registry-prometheus-simpleclient-1.13.4.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.micrometer/micrometer-registry-prometheus-simpleclient@.*$</packageUrl>
<cve>CVE-2019-3826</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: prometheus-metrics-core-1.2.1.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.prometheus/prometheus-metrics-(.*)@.*$</packageUrl>
<cve>CVE-2019-3826</cve>
</suppress>
<!-- False Positives.
This CVE is against the XML Database component of Oracle Database Server.
The below are client libraries for XML and XML JDBC support.
-->
<suppress>
<notes><![CDATA[
file name: xdb-23.6.0.24.10.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.oracle\.database\.xml/xdb@.*$</packageUrl>
<cve>CVE-2025-30694</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: xmlparserv2_sans_jaxp_services-23.6.0.24.10.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.oracle\.database\.xml/xmlparserv2_sans_jaxp_services@.*$</packageUrl>
<cve>CVE-2025-30694</cve>
</suppress>
<!-- False Positive.
This CVE is against ChatGPT rendering of SVG images not the openai4j API
-->
<suppress>
<notes><![CDATA[
file name: openai4j-0.23.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/dev\.ai4j/openai4j@.*$</packageUrl>
<cve>CVE-2025-43714</cve>
</suppress>
<!-- False Positive.
This CVE is against Nu Html Checker, not hibernate validator.
https://github.com/dependency-check/DependencyCheck/issues/8249
-->
<suppress>
<notes><![CDATA[
file name: hibernate-validator-cdi-8.0.2.Final.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.hibernate\.validator/hibernate-validator-cdi@.*$</packageUrl>
<cve>CVE-2025-15104</cve>
</suppress>
<!-- False Positive.
This CVE is against Neo4J database, not the driver
-->
<suppress>
<notes><![CDATA[
file name: neo4j-java-driver-5.28.3.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.neo4j\.driver/neo4j-java-driver@.*$</packageUrl>
<cve>CVE-2026-1337</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: neo4j-bolt-connection-1.0.0.jar
file name: neo4j-bolt-connection-netty-1.0.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.neo4j\.bolt/neo4j-bolt-connection.*$</packageUrl>
<cve>CVE-2026-1337</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: io.helidon.integrations.neo4j:helidon-integrations-neo4j:4.4.0-SNAPSHOT
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.helidon\.integrations\.neo4j/helidon-integrations-neo4j.*$</packageUrl>
<cve>CVE-2026-1337</cve>
</suppress>
<!--
This CVE is old and was fixed in Kotlin 1.4.21. The CPE recently changed in NVD.
Will keep an eye on this to see if the CPE in NVD is bad, or if there is something new.
-->
<suppress>
<notes><![CDATA[
file name: kotlin-stdlib-1.9.10.jar
file name: kotlin-stdlib-jdk7-1.9.10.jar
file name: kotlin-stdlib-jdk8-1.9.10.jar
file name: kotlin-stdlib-common-1.9.10.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.jetbrains\.kotlin/kotlin-stdlib.*$</packageUrl>
<cve>CVE-2020-29582</cve>
</suppress>
</suppressions>