Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove unnecessary suppressions #683

Merged
merged 1 commit into from
Jan 23, 2024
Merged

Remove unnecessary suppressions #683

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
90 changes: 0 additions & 90 deletions dependencyCheckSuppression.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,15 +49,6 @@
<cve>CVE-2021-39491</cve>
</suppress>

<!-- Prevent match against unrelated JSON library -->
<suppress>
<notes><![CDATA[
file name: json-20230227.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.json/json@.*$</packageUrl>
<cve>CVE-2022-45688</cve>
</suppress>

<!--
GWT uses Protobuf internally but doesn't expose it, meaning the handful of CVEs in 2.5.0 are not a concern.
https://github.com/gwtproject/gwt/issues/9778
Expand All @@ -72,28 +63,6 @@
<vulnerabilityName>CVE-2021-22569</vulnerabilityName>
</suppress>

<!-- Guava has deprecated the problematic com.google.common.io.Files.createTempDir(), the topic of this CVE,
and we don't call it. https://github.com/google/guava/issues/4011 -->
<suppress>
<notes><![CDATA[
file name: guava-31.1-jre.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
<vulnerabilityName>CVE-2020-8908</vulnerabilityName>
</suppress>

<!--
Actually packages MINA 2.2.1 but dependency check confuses the version number.
https://search.maven.org/artifact/org.apache.directory.api/api-parent/2.1.3/jar?eh=
-->
<suppress>
<notes><![CDATA[
file name: api-all-2.1.3.jar (shaded: org.apache.directory.api:api-ldap-net-mina:2.1.3)
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.directory\.api/api\-ldap\-net\-mina@.*$</packageUrl>
<cve>CVE-2021-41973</cve>
</suppress>

<!-- Tangled CVEs. See https://github.com/jeremylong/DependencyCheck/issues/4614 and https://github.com/OSSIndex/vulns/issues/316 -->
<suppress>
<notes><![CDATA[
Expand All @@ -103,7 +72,6 @@
<vulnerabilityName>CVE-2017-10355</vulnerabilityName>
</suppress>


<!--
We don't use any classes from org.springframework.remoting.httpinvoker like HttpInvokerServiceExporter
https://github.com/spring-projects/spring-framework/issues/24434
Expand All @@ -117,7 +85,6 @@
<vulnerabilityName>CVE-2016-1000027</vulnerabilityName>
</suppress>


<!--
For our purposes, Random is good enough, and not worth publishing our own version of the artifact that uses
SecureRandom. https://github.com/penggle/kaptcha/issues/3
Expand All @@ -139,7 +106,6 @@
<cve>CVE-2016-3093</cve>
</suppress>


<!-- False positive - we're not bundling Windows PGP -->
<suppress>
<notes><![CDATA[
Expand Down Expand Up @@ -192,7 +158,6 @@
<cve>CVE-2022-3421</cve>
</suppress>


<!--
This is a dependency of Java-FPDF, used by the WNPRC billing module for PDF generation, which hasn't been updated
to reference the now-renamed Commons Imaging library instead of the old Sanselan incubator. The CVE is related
Expand Down Expand Up @@ -236,15 +201,6 @@
<vulnerabilityName>CVE-2023-35116</vulnerabilityName>
</suppress>

<!-- False positive. We're using MINA Core. The vulnerability is in MINA's SSHD-Core, which we don't use. -->
<suppress>
<notes><![CDATA[
file name: mina-core-2.2.1.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.mina/mina\-core@.*$</packageUrl>
<cve>CVE-2023-35887</cve>
</suppress>

<!-- The CVE is against Quartz Jobs, not the core Quartz library, so this is a false positive given our actual dependency.
For additional info see: Issue #48405
-->
Expand All @@ -259,52 +215,6 @@
<cpe>cpe:/a:softwareag:quartz</cpe>
</suppress>

<!--
The CVE has a low impact (DDOS) and targets older versions of Postgres (<= v12.2), not the JDBC driver itself.
-->
<suppress>
<notes><![CDATA[
file name: postgresql-42.6.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.postgresql/postgresql@.*$</packageUrl>
<vulnerabilityName>CVE-2020-21469</vulnerabilityName>
</suppress>

<!--
Netty doesn't turn on cert checking by default, so this gets flagged periodically. per the linked discussion
this should be handled/enabled when configuring the client to use https.
For more info see: https://github.com/jeremylong/DependencyCheck/issues/5912#issuecomment-1699363391 and the subsequent rabbit-hole.
-->
<suppress>
<notes><![CDATA[
file name: netty-handler-4.1.100.Final.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.netty/netty.*$</packageUrl>
<vulnerabilityName>CVE-2023-4586</vulnerabilityName>
</suppress>

<!--
json-java versioning does not work with cpe; suppressing specifically for CVE-2023-5072
-->
<suppress>
<notes><![CDATA[
file name: json-20231013.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.json/json@.*$</packageUrl>
<cve>CVE-2023-5072</cve>
</suppress>

<!--
false-positive CVE as per https://github.com/dom4j/dom4j/issues/171
-->
<suppress>
<notes><![CDATA[
file name: dom4j-2.1.4.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.dom4j/dom4j@.*$</packageUrl>
<vulnerabilityName>CVE-2023-45960</vulnerabilityName>
</suppress>

<!--
GraalJS shaded and re-versioned icu4j without changing the file name, leading to many old CVEs getting tagged.
This should be fixed soon, but suppress all CVEs for now. https://github.com/oracle/graal/issues/8204
Expand Down