This repository has been archived by the owner on Feb 3, 2023. It is now read-only.
forked from adaptris/interlok-build-parent
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathowasp-exclude.xml
86 lines (86 loc) · 3.27 KB
/
owasp-exclude.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress>
<notes><![CDATA[
file name: xercesImpl-2.12.2.jar
CVE-2017-10355 is around java web start, and not explicitly xercesImpl; the sonatype reference
isn't clear either. Since xerces is used to run transforms, and that functionality is
required, we suppress.
]]>
</notes>
<packageUrl regex="true">^pkg:maven/xerces/xercesImpl@.*$</packageUrl>
<vulnerabilityName>CVE-2017-10355</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
We don't use snakeyaml directly so we can't switch to using SafeConstructor
It's usually done by jackson, so we have to wait on them to resolve
]]>
</notes>
<packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
<vulnerabilityName>CVE-2022-1471</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
file name: jackson-databind-2.13.4.jar, will be resolved in 2.14.0
]]>
</notes>
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
<vulnerabilityName>CVE-2022-42003</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
file name: jettison-1.2.jar
XStream / JSON depends on jettison-1.2 and doesn't work with 1.3+
Not much we can do w/o patching the interlok project
]]>
</notes>
<packageUrl regex="true">^pkg:maven/org\.codehaus\.jettison/jettison@.*$</packageUrl>
<vulnerabilityName>CVE-2022-45685</vulnerabilityName>
<vulnerabilityName>CVE-2022-45693</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
file name: commons-beanutils-1.9.4.jar
]]>
</notes>
<packageUrl regex="true">^pkg:maven/commons\-beanutils/commons\-beanutils@.*$</packageUrl>
<cpe>cpe:/a:apache:commons_net</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: commons-codec-1.15.jar
]]>
</notes>
<packageUrl regex="true">^pkg:maven/commons\-codec/commons\-codec@.*$</packageUrl>
<cpe>cpe:/a:apache:commons_net</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: json-utils-0.1.7.jar
false-positive because cpe:2.3:a:utils_project:utils:2.0.3:*:*:*:*:*:*:* isn't this.
]]>
</notes>
<packageUrl regex="true">^pkg:maven/com\.bazaarvoice\.jolt/json\-utils@.*$</packageUrl>
<cpe>cpe:/a:utils_project:utils</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: LatencyUtils-2.0.3.jar
false-positive because cpe:2.3:a:utils_project:utils:2.0.3:*:*:*:*:*:*:* isn't this.
]]>
</notes>
<packageUrl regex="true">^pkg:maven/org\.latencyutils/LatencyUtils@.*$</packageUrl>
<cpe>cpe:/a:utils_project:utils</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: snakeyaml-1.33.jar
false-positive because cpe:2.3:a:yaml_project:yaml:1.33:*:*:*:*:*:*:* (CVE-2022-3064 / CVE-2021-4235 are GO vulns)
]]>
</notes>
<packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
<cve>CVE-2022-3064</cve>
<cve>CVE-2021-4235</cve>
</suppress>
</suppressions>