Merge branch 'suppress-CVE-2024-47554'

mullvad · Oct 4, 2024 · a8c1af5 · a8c1af5
2 parents a93f452 + 94c1b2c
commit a8c1af5
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/android/config/dependency-check-suppression.xml b/android/config/dependency-check-suppression.xml
@@ -49,4 +49,11 @@
         <packageUrl regex="true">^pkg:maven/com\.google\.protobuf/protobuf-.*@.*$</packageUrl>
         <cve>CVE-2024-7254</cve>
     </suppress>
+    <suppress until="2025-01-04Z">
+        <notes><![CDATA[
+            No impact since the app doesn't process externally crafted XML.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/commons-io/commons-io@.*$</packageUrl>
+        <cve>CVE-2024-47554</cve>
+    </suppress>
 </suppressions>
diff --git a/android/gradle/osv-scanner.toml b/android/gradle/osv-scanner.toml
@@ -73,6 +73,11 @@ id = "CVE-2024-7254" # GHSA-735f-pc8j-v9w8
 ignoreUntil = 2024-11-02
 reason = "Should not be applicable since client and server are always in sync and we are only communicating locally over UDS."
 
+[[IgnoredVulns]]
+id = "CVE-2024-47554" # GHSA-78wr-2p64-hpwj
+ignoreUntil = 2025-01-04
+reason = "No impact since the app doesn't process externally crafted XML."
+
 [[PackageOverrides]]
 name = "org.bouncycastle:bcprov-jdk15on"
 ecosystem = "Maven"