Remove unnecessary suppressions (#683)

LabKey · Jan 23, 2024 · 10d4d12 · 10d4d12
1 parent 8916959
commit 10d4d12
Showing 1 changed file with 0 additions and 90 deletions.
diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml
@@ -49,15 +49,6 @@
         <cve>CVE-2021-39491</cve>
     </suppress>
 
-    <!-- Prevent match against unrelated JSON library -->
-    <suppress>
-        <notes><![CDATA[
-   file name: json-20230227.jar
-   ]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.json/json@.*$</packageUrl>
-        <cve>CVE-2022-45688</cve>
-    </suppress>
-
     <!--
     GWT uses Protobuf internally but doesn't expose it, meaning the handful of CVEs in 2.5.0 are not a concern.
     https://github.com/gwtproject/gwt/issues/9778
@@ -72,28 +63,6 @@
         <vulnerabilityName>CVE-2021-22569</vulnerabilityName>
     </suppress>
 
-    <!-- Guava has deprecated the problematic com.google.common.io.Files.createTempDir(), the topic of this CVE,
-     and we don't call it. https://github.com/google/guava/issues/4011 -->
-    <suppress>
-        <notes><![CDATA[
-   file name: guava-31.1-jre.jar
-   ]]></notes>
-        <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
-        <vulnerabilityName>CVE-2020-8908</vulnerabilityName>
-    </suppress>
-
-    <!--
-    Actually packages MINA 2.2.1 but dependency check confuses the version number.
-    https://search.maven.org/artifact/org.apache.directory.api/api-parent/2.1.3/jar?eh=
-     -->
-    <suppress>
-        <notes><![CDATA[
-   file name: api-all-2.1.3.jar (shaded: org.apache.directory.api:api-ldap-net-mina:2.1.3)
-   ]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.apache\.directory\.api/api\-ldap\-net\-mina@.*$</packageUrl>
-        <cve>CVE-2021-41973</cve>
-    </suppress>
-
     <!-- Tangled CVEs. See https://github.com/jeremylong/DependencyCheck/issues/4614 and https://github.com/OSSIndex/vulns/issues/316 -->
     <suppress>
         <notes><![CDATA[
@@ -103,7 +72,6 @@
         <vulnerabilityName>CVE-2017-10355</vulnerabilityName>
     </suppress>
 
-
     <!--
      We don't use any classes from org.springframework.remoting.httpinvoker like HttpInvokerServiceExporter
      https://github.com/spring-projects/spring-framework/issues/24434
@@ -117,7 +85,6 @@
         <vulnerabilityName>CVE-2016-1000027</vulnerabilityName>
     </suppress>
 
-
     <!--
     For our purposes, Random is good enough, and not worth publishing our own version of the artifact that uses
     SecureRandom. https://github.com/penggle/kaptcha/issues/3
@@ -139,7 +106,6 @@
         <cve>CVE-2016-3093</cve>
     </suppress>
 
-
     <!-- False positive - we're not bundling Windows PGP -->
     <suppress>
         <notes><![CDATA[
@@ -192,7 +158,6 @@
         <cve>CVE-2022-3421</cve>
     </suppress>
 
-
     <!--
     This is a dependency of Java-FPDF, used by the WNPRC billing module for PDF generation, which hasn't been updated
     to reference the now-renamed Commons Imaging library instead of the old Sanselan incubator. The CVE is related
@@ -236,15 +201,6 @@
         <vulnerabilityName>CVE-2023-35116</vulnerabilityName>
     </suppress>
 
-    <!-- False positive. We're using MINA Core. The vulnerability is in MINA's SSHD-Core, which we don't use. -->
-    <suppress>
-        <notes><![CDATA[
-   file name: mina-core-2.2.1.jar
-   ]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.apache\.mina/mina\-core@.*$</packageUrl>
-        <cve>CVE-2023-35887</cve>
-    </suppress>
-
     <!-- The CVE is against Quartz Jobs, not the core Quartz library, so this is a false positive given our actual dependency.
      For additional info see: Issue #48405
     -->
@@ -259,52 +215,6 @@
         <cpe>cpe:/a:softwareag:quartz</cpe>
     </suppress>
 
-    <!--
-    The CVE has a low impact (DDOS) and targets older versions of Postgres (<= v12.2), not the JDBC driver itself.
-    -->
-    <suppress>
-        <notes><![CDATA[
-   file name: postgresql-42.6.0.jar
-   ]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.postgresql/postgresql@.*$</packageUrl>
-        <vulnerabilityName>CVE-2020-21469</vulnerabilityName>
-    </suppress>
-
-    <!--
-    Netty doesn't turn on cert checking by default, so this gets flagged periodically. per the linked discussion
-    this should be handled/enabled when configuring the client to use https.
-     For more info see: https://github.com/jeremylong/DependencyCheck/issues/5912#issuecomment-1699363391 and the subsequent rabbit-hole.
-    -->
-    <suppress>
-        <notes><![CDATA[
-   file name: netty-handler-4.1.100.Final.jar
-   ]]></notes>
-        <packageUrl regex="true">^pkg:maven/io\.netty/netty.*$</packageUrl>
-        <vulnerabilityName>CVE-2023-4586</vulnerabilityName>
-    </suppress>
-
-    <!--
-    json-java versioning does not work with cpe; suppressing specifically for CVE-2023-5072
-    -->
-    <suppress>
-        <notes><![CDATA[
-   file name: json-20231013.jar
-   ]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.json/json@.*$</packageUrl>
-        <cve>CVE-2023-5072</cve>
-    </suppress>
-
-    <!--
-    false-positive CVE as per https://github.com/dom4j/dom4j/issues/171
-    -->
-    <suppress>
-        <notes><![CDATA[
-   file name: dom4j-2.1.4.jar
-   ]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.dom4j/dom4j@.*$</packageUrl>
-        <vulnerabilityName>CVE-2023-45960</vulnerabilityName>
-    </suppress>
-
     <!--
     GraalJS shaded and re-versioned icu4j without changing the file name, leading to many old CVEs getting tagged.
     This should be fixed soon, but suppress all CVEs for now. https://github.com/oracle/graal/issues/8204