-
Notifications
You must be signed in to change notification settings - Fork 12
/
Copy pathdependency-check-suppressions.xml
121 lines (120 loc) · 5.86 KB
/
dependency-check-suppressions.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
<suppress>
<notes>
<![CDATA[
Issue: Analyze CVE-2022-31569 in dynamic-resources-converter
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2022-31569
Library: oxygen-patched-mammoth-for-batch-converter-25.0-SNAPSHOT.jar
Reason: This vulnerability does not apply because the CVE refers to a Python project. It's a false positive.
]]>
</notes>
<filePath regex="true">.*[\\/]?oxygen-patched-mammoth-for-batch-converter-.*</filePath>
<cve>CVE-2022-31569</cve>
</suppress>
<suppress>
<notes><![CDATA[
Issue: Vulnerability issue - CVE-2022-42003 - com.fasterxml.jackson.core : jackson-databind : 2.13.4
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2022-42003
Library: jackson-databind-2.13.2.2.jar
Reason: This vulnerability does not apply because we don't enable the feature UNWRAP_SINGLE_VALUE_ARRAYS. It's a product "false positive".
]]></notes>
<filePath regex="true">.*[\\/]?jackson-databind-2\.13\.2\.2\.jar</filePath>
<cve>CVE-2022-42003</cve>
</suppress>
<suppress>
<notes><![CDATA[
Issue: Vulnerability issue - CVE-2022-42004 - com.fasterxml.jackson.core : jackson-databind : 2.13.2.2
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2022-42004
Library: jackson-databind-2.13.2.2.jar
Reason: This vulnerability does not apply because we don't enable the feature UNWRAP_SINGLE_VALUE_ARRAYS. It's a product "false positive".
]]></notes>
<filePath regex="true">.*[\\/]?jackson-databind-2\.13\.2\.2\.jar</filePath>
<cve>CVE-2022-42004</cve>
</suppress>
<suppress>
<notes><![CDATA[
Issue: Vulnerability issue - CVE-2022-3064 - flexmark-ext-yaml-front-matter-0.64.0
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2022-3064
Library: flexmark-ext-yaml-front-matter-0.64.0.jar
Reason: This is a detection false positive. The vulnerability affects the go-yaml project, not this one.
]]></notes>
<filePath regex="true">.*[\\/]?flexmark-ext-yaml-front-matter-0\.64\.0\.jar</filePath>
<cve>CVE-2022-3064</cve>
</suppress>
<suppress>
<notes><![CDATA[
EXM-52720: It's a detection false-positive.
]]></notes>
<filePath regex="true">.*[\\/]jackson-core-2\.13\.2.jar</filePath>
<cve>CVE-2022-45688</cve>
</suppress>
<suppress>
<notes><![CDATA[
EXM-52720, EXM-52798: oxygen-patched-json uses json-20230227.jar. It's a detection false-positive
]]></notes>
<filePath regex="true">.*[\\/]oxygen-patched-json-[0-9]{2}\.[0-9]-SNAPSHOT\.jar</filePath>
<cve>CVE-2022-45688</cve>
</suppress>
<suppress>
<notes><![CDATA[
EXM-52720, EXM-52798: oxygen-patched-json uses json-20230227.jar. It's a detection false-positive
]]></notes>
<filePath regex="true">.*oxygen-patched-json-[0-9]{2}\.[0-9]-SNAPSHOT\.jar[\\/]META-INF[\\/]maven[\\/]org\.json[\\/]json[\\/]pom\.xml</filePath>
<cve>CVE-2022-45688</cve>
</suppress>
<suppress>
<notes><![CDATA[
Issue: Vulnerability issue - CVE-2022-1471 - snakeyaml-1.33
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2022-1471
Library: snakeyaml-1.33.jar
Reason: This is a detection false positive.
]]></notes>
<filePath regex="true">.*[\\/]?snakeyaml-1\.33\.jar</filePath>
<cve>CVE-2022-1471</cve>
</suppress>
<suppress>
<notes><![CDATA[
Issue: Vulnerability issue - CVE-2022-3064 - snakeyaml-1.33
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2022-3064
Library: snakeyaml-1.33.jar
Reason: This is a detection false positive. The vulnerability affects the go-yaml project, not this one.
]]></notes>
<filePath regex="true">.*[\\/]?snakeyaml-1\.33\.jar</filePath>
<cve>CVE-2022-3064</cve>
</suppress>
<suppress>
<notes><![CDATA[
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2023-2251
Library: flexmark-ext-yaml-front-matter-0.64.0.jar
Reason: This is a detection false positive. The vulnerability affects the eemeli/yaml project, not this one.
]]></notes>
<filePath regex="true">.*[\\/]?flexmark-ext-yaml-front-matter-0\.64\.0\.jar</filePath>
<cve>CVE-2023-2251</cve>
</suppress>
<suppress>
<notes><![CDATA[
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2023-34623
Library: oxygen-patched-jtidy-for-batch-converter-26.0.jar
Reason: This is a detection false positive. The vulnerability was fixed in version jtidy-1.0.4 (the one that is used in the patch project).
]]></notes>
<filePath regex="true">.*[\\/]?oxygen-patched-jtidy-for-batch-converter-[0-9]{2}\.[0-9]-SNAPSHOT\.jar</filePath>
<cve>CVE-2023-34623</cve>
</suppress>
<suppress>
<notes><![CDATA[
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2023-34623
Library: oxygen-patched-jtidy-for-batch-converter-26.0.jar
Reason: This is a detection false positive. The vulnerability was fixed in version jtidy-1.0.4 (the one that is used in the patch project).
]]></notes>
<filePath regex="true">.*oxygen-patched-jtidy-for-batch-converter-[0-9]{2}\.[0-9]-SNAPSHOT\.jar[\\/]META-INF[\\/]maven[\\/]com\.github\.jtidy[\\/]jtidy[\\/]pom\.xml</filePath>
<cve>CVE-2023-34623</cve>
</suppress>
<suppress>
<notes><![CDATA[
EXM-53853: oxygen-patched-json uses json-20231013.jar. It's a detection false-positive
]]></notes>
<filePath regex="true">.*oxygen-patched-json.*\.jar[\\/]META-INF[\\/]maven[\\/]org\.json[\\/]json[\\/]pom\.xml</filePath>
<cve>CVE-2023-5072</cve>
</suppress>
</suppressions>