Skip to content
This repository was archived by the owner on May 5, 2021. It is now read-only.

Commit 2db702d

Browse files
author
Stefan Kock
committed
SORMAS-Foundation#3580: Dependency-Check: False positives and Not exploitables documented
1 parent 17d3411 commit 2db702d

1 file changed

Lines changed: 80 additions & 0 deletions

File tree

sormas-base/dependencies/check-suppressions.xml

Lines changed: 80 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,80 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
3+
4+
<!-- *** False positives *** -->
5+
<suppress>
6+
<notes><![CDATA[
7+
We are using newer Gradle version 5.4.1
8+
]]></notes>
9+
<filePath regex="true">.*\bgradle-wrapper.*\.jar</filePath>
10+
<cve>CVE-2019-11065</cve>
11+
</suppress>
12+
<suppress>
13+
<notes><![CDATA[
14+
CVE addresses "data-tools" (not Java) which dows not seem to be uses by "jackson-dataformat-hal"
15+
]]></notes>
16+
<filePath regex="true">.*\bjackson-dataformat-hal.*\.jar</filePath>
17+
<cve>CVE-2018-18749</cve>
18+
</suppress>
19+
<suppress>
20+
<notes><![CDATA[
21+
CVE is fixed with Keycloak 10, we use at least version 11
22+
]]></notes>
23+
<filePath regex="true">.*\bkeycloak-.*\.jar</filePath>
24+
<cve>CVE-2020-1728</cve>
25+
</suppress>
26+
<suppress>
27+
<notes><![CDATA[
28+
We are using a newer version than Vaadin 6.4.9
29+
]]></notes>
30+
<filePath regex="true">.*\bvaadin-sass-compiler\.jar</filePath>
31+
<cve>CVE-2011-0509</cve>
32+
</suppress>
33+
<suppress>
34+
<notes><![CDATA[
35+
False positive documented in Dependency Check 6.0.3, see https://github.com/jeremylong/DependencyCheck/issues/2511
36+
]]></notes>
37+
<filePath regex="true">.*\bvaadin-sass-compiler\.jar</filePath>
38+
<cve>CVE-2019-10799</cve>
39+
</suppress>
40+
<!-- *** False positives END *** -->
41+
42+
<!-- *** Not exploitable *** -->
43+
<suppress>
44+
<notes><![CDATA[
45+
Not exploitable because we use Gradle as build tool to get public available dependencies without any credentials. Upgrade from 5.4.1 to 5.6.x might also be an option.
46+
]]></notes>
47+
<filePath regex="true">.*\bgradle-wrapper.*\.jar</filePath>
48+
<cve>CVE-2019-15052</cve>
49+
</suppress>
50+
<suppress>
51+
<notes><![CDATA[
52+
Not relevant at the moment because we do not use SocketServer to receive logs.
53+
]]></notes>
54+
<filePath regex="true">.*\blogback-.*\.jar</filePath>
55+
<cve>CVE-2017-5929</cve>
56+
</suppress>
57+
<suppress>
58+
<notes><![CDATA[
59+
maven-ant-tasks is not part of the release and is not relied on by the code
60+
]]></notes>
61+
<filePath regex="true">.*\bmaven-ant-tasks.*\.jar/META-INF/.*\bplexus-utils.*</filePath>
62+
<cve>CVE-2017-1000487</cve>
63+
</suppress>
64+
<suppress>
65+
<notes><![CDATA[
66+
maven-ant-tasks is not part of the release and is not relied on by the code
67+
]]></notes>
68+
<filePath regex="true">.*\bmaven-ant-tasks.*\.jar/META-INF/.*\bplexus-utils.*</filePath>
69+
<vulnerabilityName>Directory traversal in org.codehaus.plexus.util.Expand</vulnerabilityName>
70+
</suppress>
71+
<suppress>
72+
<notes><![CDATA[
73+
maven-ant-tasks is not part of the release and is not relied on by the code
74+
]]></notes>
75+
<filePath regex="true">.*\bmaven-ant-tasks.*\.jar/META-INF/.*\bplexus-utils.*</filePath>
76+
<vulnerabilityName>Possible XML Injection</vulnerabilityName>
77+
</suppress>
78+
<!-- *** Not exploitable END *** -->
79+
80+
</suppressions>

0 commit comments

Comments
 (0)