dependency-check-suppression.xml

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<!-- For information see https://jeremylong.github.io/DependencyCheck/general/suppression.html -->

<!-- This CVE is against the etcd server. We use the Java client
-->
<suppress>
   <notes><![CDATA[
   file name: etcd4j-2.17.0.jar
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.mousio/etcd4j@.*$</packageUrl>
   <cpe>cpe:/a:etcd:etcd</cpe>
</suppress>


<!-- This CVE is against Neo4j through 3.4.18. We use Neo4j 4.x
     Helidon's Neo4j integration triggered a false positive due to it's 
     version being < 3.4.18
-->
<suppress>
   <notes><![CDATA[
   file name: io.helidon.integrations.neo4j:helidon-integrations-neo4j:2.4.0-SNAPSHOT
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/io\.helidon\.integrations\.neo4j/helidon\-integrations\-neo4j@.*$</packageUrl>
   <cve>CVE-2021-34371</cve>
</suppress>

<!-- False positive.
     This CVE is against the H2 web admin console which we do not use
-->
<suppress>
   <notes><![CDATA[
   file name: h2-2.1.212.jar
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/com\.h2database/h2@.*$</packageUrl>
   <cve>CVE-2022-45868</cve>
</suppress>

<!-- okhttp is a transitive fourth party dependency of Jaeger client. This CVE is considered
     by the okhttp team as not exploitable unless the class in question is used
     directly by an application (highly unlikely). See https://github.com/square/okhttp/issues/6724
     They have only fixed this in 4.9.3 and newer. We can't force upgrade due to a tangle of
     dependencies, compatibility, and issues with dependency convergence.
-->
<suppress>
   <notes><![CDATA[
   file name: okhttp-3.14.9.jar
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/com\.squareup\.okhttp3/okhttp@.*$</packageUrl>
   <vulnerabilityName>CVE-2021-0341</vulnerabilityName>
</suppress>

<!-- False Positive. This CVE is against graphql-java, not the microprofile-graphql-api
-->
<suppress>
   <notes><![CDATA[
   file name: microprofile-graphql-api-2.0.jar
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.eclipse\.microprofile\.graphql/microprofile\-graphql\-api@.*$</packageUrl>
   <cve>CVE-2022-37734</cve>
</suppress>

<!-- False Positive. This CVE is against graphql-java, not graphql-java-dataloader
     See https://github.com/jeremylong/DependencyCheck/issues/5641
-->
<suppress>
   <notes><![CDATA[
   file name: java-dataloader-3.1.0.jar
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/com\.graphql\-java/java\-dataloader@.*$</packageUrl>
   <cve>CVE-2023-28867</cve>
</suppress>

<!-- False Postive. This CVE is against the kafka server. This is the kafka client
-->
<suppress>
   <notes><![CDATA[
   file name: kafka-clients-2.8.1.jar
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.apache\.kafka/kafka\-clients@.*$</packageUrl>
   <cve>CVE-2022-34917</cve>
</suppress>

<!-- False Positive. CVE-2023-25194 is against Kafka Connect, not the client -->
<!-- See https://github.com/jeremylong/DependencyCheck/issues/5469 -->
<suppress>
   <notes><![CDATA[
   file name: kafka-clients-2.8.1.jar
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.apache\.kafka/kafka\-clients@.*$</packageUrl>
   <cve>CVE-2023-25194</cve>
</suppress>

<!-- False Positive. This CVE is against H2 1.x.
-->
<suppress>
   <notes><![CDATA[
   file name: h2-2.1.212.jar
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/com\.h2database/h2@.*$</packageUrl>
   <vulnerabilityName>CVE-2018-14335</vulnerabilityName>
</suppress>

<!-- This is a low priority CVE against a deprecated method in Guava. We don't use guava directly.
     This CVE bounces in and out of being "fixed" in version 30 and later.
-->
<suppress>
   <notes><![CDATA[
   file name: guava-31.1-jre.jar
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
   <vulnerabilityName>CVE-2020-8908</vulnerabilityName>
</suppress>


</suppressions>