forked from Unidata/tds
-
Notifications
You must be signed in to change notification settings - Fork 0
/
dependency-check-suppression.xml
97 lines (97 loc) · 4.06 KB
/
dependency-check-suppression.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress>
<notes><![CDATA[
file name: tdmFat-5.0.0-SNAPSHOT.jar
file name: tdm-5.0.0-SNAPSHOT.jar
reason: not related to the THREDDS Data Manager (TDM), but a different tdm.
]]></notes>
<filePath regex="true">.*\/tdm.*\.jar</filePath>
<cpe>cpe:/a:tdm_project:tdm</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: affinity-3.1.10.jar
reason: CVE in mintToken function of a smart contract implementation for Thread, an Ethereum token.
not related to the Java Thread Affinity library pulled in my chronicle-map.
]]></notes>
<filePath regex="true">.*\/affinity.*\.jar</filePath>
<cve>CVE-2018-13752</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: affinity pom
reason: CVE in mintToken function of a smart contract implementation for Thread, an Ethereum token.
not related to the Java Thread Affinity library pulled in my chronicle-map.
]]></notes>
<filePath regex="true">.*\/net.openhft\/affinity\/pom.xml</filePath>
<cve>CVE-2018-13752</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: org.slf4j:slf4j-api:1.8.0-beta2
reason: The CVE-80888 report says this is fixed in beta2, so false positive
]]></notes>
<filePath regex="true">.*\/slf4j-api-1.8.0-beta2.jar</filePath>
<cve>CVE-2018-8088</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: org.slf4j:/jcl-over-slf4j:1.8.0-beta2
reason: The CVE-80888 report says this is fixed in beta2, so false positive
]]></notes>
<filePath regex="true">.*\/jcl-over-slf4j-1.8.0-beta2.jar</filePath>
<cve>CVE-2018-8088</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: pax-url-aether jcl-over-slf4j pom
reason: we override the version of jcl-over-slf4j, so the one listed in this pom is not actually being used.
]]></notes>
<filePath regex="true">.*pax-url-aether-2.4.5.jar\/META-INF\/maven\/org.slf4j\/jcl-over-slf4j\/pom.xml</filePath>
<cve>CVE-2018-8088</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: toolsUI-*.jar
reason: toolsUI isn't data-tools -> https://github.com/clarkgrubb/data-tools/
]]></notes>
<filePath regex="true">.*\/toolsUI.*\.jar</filePath>
<cve>CVE-2018-18749</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: tds-*.war: ehcache-2.10.6.jar/rest-management-private-classpath/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml
reason: ehcache server not used, so safe to ignore (see https://groups.google.com/forum/#!category-topic/ehcache-users/pafTyMJIngI, https://github.com/jeremylong/DependencyCheck/issues/517)
]]></notes>
<gav regex="true">^com\.fasterxml\.jackson\.core:jackson-databind:2.9.6.*$</gav>
<cve>CVE-2018-1000873</cve>
<cve>CVE-2018-14719</cve>
<cve>CVE-2018-14720</cve>
<cve>CVE-2018-14721</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name example: quartz-2.2.3.jar
reason: quartz is being misidentified as jenkins -> https://github.com/jeremylong/DependencyCheck/issues/1637#issuecomment-451115272
]]></notes>
<gav regex="true">^org\.quartz-scheduler:quartz:.*$</gav>
<cpe>cpe:/a:jenkins:jenkins</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name example: spring-security-core-4.2.7.RELEASE.jar, spring-security-cweb-4.2.7.RELEASE.jar
reason: Only valid if specifically using in combination with Spring 5.0.5 RELEASE. https://pivotal.io/security/cve-2018-1258
]]></notes>
<gav regex="true">^org\.springframework\.security:spring-security.*$</gav>
<cve>CVE-2018-1258</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: tds-5.0.0-SNAPSHOT.war: chronicle-wire-2.17.5.jar
reason: not a chronicle-wire vulnerability (wire package for Android)
]]></notes>
<packageUrl regex="true">^pkg:maven/net\.openhft/chronicle\-wire@.*$</packageUrl>
<cve>CVE-2018-8909</cve>
</suppress>
</suppressions>