-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
/
.dependency-check-suppressions.xml
103 lines (103 loc) · 4.7 KB
/
.dependency-check-suppressions.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress>
<notes><![CDATA[
Ignore Openfire for the search jar, else dependency-check picks up every Openfire CVE since Openfire v1.7.2
file name: search.jar: search-1.7.2.jar
]]> </notes>
<packageUrl regex="true">^pkg:maven/org\.igniterealtime\.openfire\.plugins/search@.*$</packageUrl>
<cpe>cpe:/a:igniterealtime:openfire</cpe>
</suppress>
<suppress>
<notes><![CDATA[
Ignore Openfire for the search jar, else dependency-check picks up every Openfire CVE since Openfire v1.7.2
file name: search.jar: search-1.7.2.jar
]]> </notes>
<packageUrl regex="true">^pkg:maven/org\.igniterealtime\.openfire\.plugins/search@.*$</packageUrl>
<cpe>cpe:/a:ignite_realtime:openfire</cpe>
</suppress>
<suppress>
<notes><![CDATA[
Ignore tag_project:tag - it's an MP3 tagging tool, and nothing to do with Apache Taglibs.
file name: taglibs-standard-impl-1.2.5.jar
]]> </notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.taglibs/taglibs\-standard\-impl@.*$</packageUrl>
<cpe>cpe:/a:tag_project:tag</cpe>
</suppress>
<suppress>
<notes><![CDATA[
Ignore an old CVE related to permissions when calling com.google.common.io.Files.createTempDir - we don't use this method
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
<vulnerabilityName>CVE-2020-8908</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
Ignore a CVE related only to Jetty's CGI servlet, which isn't used in Openfire.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty/jetty\-servlets@.*$</packageUrl>
<vulnerabilityName>CVE-2023-36479</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
Ignore a withdrawn CVE (see https://github.com/joker-xiaoyan/XXE-SAXReader/issues/1 and https://github.com/dom4j/dom4j/issues/171#issuecomment-1781547256)
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.dom4j/dom4j@.*$</packageUrl>
<cve>CVE-2023-45960</cve>
</suppress>
<suppress>
<notes><![CDATA[
Suppress eclipse:jetty issues for [email protected] since it's incorrectly pulling in all Jetty issues after Jetty v4, whereas jetty-servlet-api v4 is included in Jetty v10.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty\.toolchain/jetty\-servlet\-api@4\.0\..*$</packageUrl>
<cpe>cpe:/a:eclipse:jetty</cpe>
</suppress>
<suppress>
<notes><![CDATA[
Suppress jetty:jetty issues for [email protected] since it's incorrectly pulling in all Jetty issues after Jetty v4, whereas jetty-servlet-api v4 is included in Jetty v10.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty\.toolchain/jetty\-servlet\-api@4\.0\..*$</packageUrl>
<cpe>cpe:/a:jetty:jetty</cpe>
</suppress>
<suppress>
<notes><![CDATA[
Ignore CVE about Netty defaults for hostname validation, since Openfire implements its own configurable hostname validation.
]]></notes>
<cve>CVE-2023-4586</cve>
</suppress>
<suppress>
<notes><![CDATA[
Ignore a CVE regarding Tomcat clustering, which isn't used in Openfire.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.mortbay\.jasper/apache\-jsp@.*$</packageUrl>
<cve>CVE-2022-29885</cve>
</suppress>
<suppress>
<notes><![CDATA[
Rapid Reset was fixed in Jetty 10.0.18, which brings in this dependency.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.mortbay\.jasper/apache\-jsp@.*$</packageUrl>
<cve>CVE-2023-44487</cve>
</suppress>
<suppress>
<notes><![CDATA[
Openfire doesn't persist sessions via Tomcat FileStore (or anything else, beyond preferences)
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.mortbay\.jasper/apache\-jsp@.*$</packageUrl>
<cve>CVE-2022-23181</cve>
</suppress>
<suppress>
<notes><![CDATA[
Openfire doesn't make use of the example webapp in Tomcat
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.mortbay\.jasper/apache\-jsp@.*$</packageUrl>
<cve>CVE-2022-34305</cve>
</suppress>
<suppress>
<notes><![CDATA[
Openfire doesn't use the ROOT webapp. Additional testing on 2023-11-13 against 7a53b23e565cdf06a541af82560a6c49d6c9d2ae.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.mortbay\.jasper/apache\-jsp@.*$</packageUrl>
<cve>CVE-2023-41080</cve>
</suppress>
</suppressions>