-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy pathdependency-check-suppressions.xml
91 lines (86 loc) · 2.97 KB
/
dependency-check-suppressions.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
<?xml version="1.0" encoding="UTF-8"?>
<!--
~ Copyright 2022 Projeto e-cordel (http://ecordel.com.br)
~
~ Licensed under the Apache License, Version 2.0 (the "License");
~ you may not use this file except in compliance with the License.
~ You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing, software
~ distributed under the License is distributed on an "AS IS" BASIS,
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
~ See the License for the specific language governing permissions and
~ limitations under the License.
~
-->
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress>
<notes>
<![CDATA[
file name: tomcat-embed-core-9.0.56.jar
the vulnerable feature is disabled by default in spring boot
]]>
</notes>
<cve>CVE-2022-23181</cve>
</suppress>
<suppress>
<notes>
<![CDATA[
file name: spring-core-5.3.20.jar
the vulnerable feature is disabled by default in spring boot
]]>
</notes>
<cve>CVE-2016-1000027</cve>
</suppress>
<suppress>
<notes>
<![CDATA[
file name: spring-tx-5.3.20.jar
the vulnerable feature is disabled by default in spring boot
]]>
</notes>
<cve>CVE-2016-1000027</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: snakeyaml-1.29.jar
file name: snakeyaml-1.30.jar
the application does not process yaml other than application.yaml configuration
]]></notes>
<vulnerabilityName>CVE-2022-25857</vulnerabilityName>
<vulnerabilityName>CVE-2022-1471</vulnerabilityName>
<cve>CVE-2022-38749</cve>
<cpe>cpe:/a:snakeyaml_project:snakeyaml</cpe>
<cpe>cpe:/a:yaml_project:yaml</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: spring-boot-starter-security-2.7.4.jar
spring security version brought by starter is 5.7.3
the Spring Boot starter for Spring Security is mistaken with Spring Security itself.
https://stackoverflow.com/questions/72543477/cve-2022-22976-spring-boot-2-7-0
]]></notes>
<cve>CVE-2022-22978</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: jackson-core-2.14.2.jar
json-java CVE flagged for multiple unrelated Java JSON projects
https://github.com/jeremylong/DependencyCheck/issues/5502
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-core@.*$</packageUrl>
<cve>CVE-2022-45688</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: spring-web-6.1.11.jar
Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to DoS attack.
We do not support etags.
TODO it may be removed when spring web is upgraded to 6.1.12
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework/spring-web@.*$</packageUrl>
<vulnerabilityName>CVE-2024-38809</vulnerabilityName>
</suppress>
</suppressions>