forked from openrewrite/rewrite-recipe-markdown-generator
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsuppressions.xml
118 lines (115 loc) · 4.76 KB
/
suppressions.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress>
<notes><![CDATA[
file name: snakeyaml-2.0.jar
Severity: HIGH
These vulnerabilities are not relevant to this project's usage of snakeyaml.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
<cve>CVE-2023-2251</cve>
<cve>CVE-2021-4235</cve>
<cve>CVE-2022-3064</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: LatencyUtils-2.0.3.jar
Not relevant. LatencyUtils is invoked through micrometer instrumentation, which is not
enabled when this project is run.
]]>
</notes>
<cve>CVE-2021-4277</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: commons-compress-1.22.jar
The CVE is specific to the .NET version of the library. This is the Java version.
This is a false positive.
]]>
</notes>
<cve>CVE-2021-37533</cve>
</suppress>
<suppress until="2023-03-10Z">
<notes>
<![CDATA[
file name: junit-jupiter-api-5.9.2.jar
False positive. The CVE is about the python web server platform flask, which has nothing to do with the Java unit testing framework JUnit
]]>
</notes>
<cve>CVE-2022-31514</cve>
</suppress>
<suppress until="2023-03-10Z">
<notes>
<![CDATA[
files: spring-aop.jar, spring-beans.jar, spring-context.jar, spring-core.jar, spring-jcl.jar, spring-messaging.jar, spring-web.jar, spring-webflux.jar, spring-context-support.jar, spring-jdbc.jar, spring-webmvc.jar, spring-websocket.jar
sev: CRITICAL
CVE-2016-1000027
False positive. Recipes which modify spring code are not themselves spring applications. The vulnerabilities of spring applications are irrelevant.
]]>
</notes>
<cve>CVE-2016-1000027</cve>
</suppress>
<suppress until="2023-03-10Z">
<notes>
<![CDATA[
file name: rewrite-jhipster-1.17.0.jar
False positive. Recipe module which affects jhipster applications is not itself a jhipster application.
]]>
</notes>
<cve>CVE-2019-16303</cve>
</suppress>
<suppress until="2023-04-09Z">
<notes><![CDATA[
file name: stax2-api-4.2.1.jar
Severity: HIGH
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.codehaus\.woodstox/stax2\-api@.*$</packageUrl>
<cve>CVE-2022-40152</cve>
</suppress>
<suppress until="2023-03-30Z">
<notes><![CDATA[
file name: rewrite-spring-4.33.0.jar: spring-core-4.3.30.RELEASE.jar
sev: CRITICAL
CVE-2022-22950
False positive. Affects Spring 5.3.16 up to 6.0 exposed HTTP Invoker endpoints to untrusted clients. We're not using HttpInvokerServiceExporter and do not have any exposed HTTP Invoker endpoints.
]]></notes>
<sha1>b255bb7389e582d24574f75bc0c880ffb8103dfa</sha1>
<cve>CVE-2022-22950</cve>
</suppress>
<suppress until="2024-01-30">
<notes>
<![CDATA[
files: spring-boot-1.5.22.RELEASE.jar, spring-core-4.3.30.RELEASE.jar
sev: CRITICAL
False positive. Recipes which modify spring-boot code are not themselves spring-boot applications. The vulnerabilities of spring-boot applications are irrelevant.
]]>
</notes>
<cve>CVE-2022-27772</cve>
<cve>CVE-2022-22965</cve>
<cve>CVE-2022-22968</cve>
<cve>CVE-2022-22970</cve>
</suppress>
<suppress until="2023-04-09Z">
<notes><![CDATA[
file name: javax.json-1.1.4.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.glassfish/javax\.json@.*$</packageUrl>
<cve>CVE-2022-45688</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: jackson-core-2.14.2.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-core@.*$</packageUrl>
<cpe>cpe:/a:fasterxml:jackson-modules-java8</cpe>
<cpe>cpe:/a:json-java_project:json-java</cpe>
</suppress>
<suppress until="2023-07-21Z">
<notes><![CDATA[
file name: jackson-databind-2.15.2.jar
This is not a really valid CVE and not really exploitable as Java code needs to be modified: https://github.com/FasterXML/jackson-databind/issues/3972
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
<cve>CVE-2023-35116</cve>
</suppress>
</suppressions>