2022-08-04 12:26:41 +02:00
|
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
|
|
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
|
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[
|
|
|
|
We don't use the Spring HTTP invoker which causes this vulnerability due to Java deserialization.
|
|
|
|
]]></notes>
|
|
|
|
<packageUrl regex="true">^pkg:maven/org\.springframework/spring-web@.*$</packageUrl>
|
|
|
|
<cve>CVE-2016-1000027</cve>
|
|
|
|
</suppress>
|
2022-10-05 06:31:53 +02:00
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[
|
|
|
|
We don't use the UNWRAP_SINGLE_VALUE_ARRAYS feature and thus are not affected.
|
|
|
|
]]></notes>
|
|
|
|
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
|
|
|
|
<cve>CVE-2022-42003</cve>
|
|
|
|
</suppress>
|
2024-01-03 09:24:14 +01:00
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[
|
|
|
|
We don't parse external XML.
|
|
|
|
]]></notes>
|
|
|
|
<packageUrl regex="true">^pkg:maven/org\.eclipse\.angus/angus\-activation@.*$</packageUrl>
|
|
|
|
<cpe>cpe:/a:eclipse:eclipse_ide</cpe>
|
|
|
|
</suppress>
|
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[
|
|
|
|
We don't parse external XML.
|
|
|
|
]]></notes>
|
|
|
|
<packageUrl regex="true">^pkg:maven/jakarta\.activation/jakarta\.activation\-api@.*$</packageUrl>
|
|
|
|
<cpe>cpe:/a:eclipse:eclipse_ide</cpe>
|
|
|
|
</suppress>
|
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[
|
|
|
|
Cyclic references are not possible if file comes in JSON text format.
|
|
|
|
]]></notes>
|
|
|
|
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
|
|
|
|
<cpe>cpe:/a:fasterxml:jackson-databind</cpe>
|
|
|
|
</suppress>
|
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[
|
|
|
|
As far as I see Criteria.parse(...) cannot be reached with external data.
|
|
|
|
]]></notes>
|
|
|
|
<packageUrl regex="true">^pkg:maven/com\.jayway\.jsonpath/json\-path@.*$</packageUrl>
|
|
|
|
<vulnerabilityName>CVE-2023-51074</vulnerabilityName>
|
|
|
|
</suppress>
|
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[
|
|
|
|
Internal tooling, not exposed to the Internet.
|
|
|
|
]]></notes>
|
|
|
|
<packageUrl regex="true">^pkg:maven/org\.pitest/pitest\-command\-line@.*$</packageUrl>
|
|
|
|
<cpe>cpe:/a:line:line</cpe>
|
|
|
|
</suppress>
|
2024-01-04 09:10:20 +01:00
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[
|
2024-01-05 11:07:34 +01:00
|
|
|
Spring Boot 3.1.x has a transient dependency to snakeyaml 1.3
|
|
|
|
which contains this vulnerability.
|
|
|
|
|
|
|
|
We've explicitly bumped to 2.2, but the vulnerability checker does not seem to notice that.
|
|
|
|
|
2024-01-04 09:10:20 +01:00
|
|
|
TODO: Remove this suppression once we are on SpringBoot 3.2,
|
|
|
|
as well as the explicit version bump and the transient dependency exclude.
|
|
|
|
]]></notes>
|
|
|
|
<packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
|
|
|
|
<cve>CVE-2022-1471</cve>
|
|
|
|
</suppress>
|
2022-08-04 12:26:41 +02:00
|
|
|
</suppressions>
|