Merge branch 'update-android-supressions'

Author: albin-mullvad

android/config/dependency-check-suppression.xml

@@ -1,39 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-    <suppress until="2024-05-01Z">
-        <notes><![CDATA[
-        This CVE only part of the debugAndroidTestRuntimeClasspath so suppressing in automatic
-        checks and tracking externally.
-
-        File name: guava-28.2-android.jar
-        ]]></notes>
-        <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
-        <cve>CVE-2020-8908</cve>
-    </suppress>
-    <suppress until="2024-03-01Z">
-        <notes><![CDATA[
-        This CVE only part of the debugAndroidTestRuntimeClasspath so suppressing in automatic
-        checks and tracking externally.
-
-        Fix released in: https://github.com/google/guava/releases/tag/v32.0.0
-
-        File name: guava-28.2-android.jar
-        ]]></notes>
-        <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
-        <cve>CVE-2023-2976</cve>
-    </suppress>
-    <suppress until="2024-05-01Z">
-        <notes><![CDATA[
-        This CVE only part of the debugAndroidTestRuntimeClasspath so suppressing in automatic
-        checks and tracking externally.
-
-        File name: jsoup-1.12.2.jar
-        ]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.jsoup/jsoup@.*$</packageUrl>
-        <cve>CVE-2022-36033</cve>
-        <cve>CVE-2021-37714</cve>
-    </suppress>
-    <suppress until="2024-05-01Z">
+    <suppress until="2024-11-01Z">
         <notes><![CDATA[
         This CVE only affect Multiplatform Gradle Projects, which this project is not.
         https://nvd.nist.gov/vuln/detail/CVE-2022-24329
@@ -68,13 +35,4 @@
         <packageUrl regex="true">^pkg:maven/androidx\.test\.services/storage@.*$</packageUrl>
         <cve>CVE-2014-9152</cve>
     </suppress>
-    <suppress until="2024-05-01Z">
-        <notes><![CDATA[
-            Suppressing since the affected function isn't used in this project. No upstream fixes
-            are available at the time of adding this suppression.
-            https://nvd.nist.gov/vuln/detail/CVE-2024-23080
-        ]]></notes>
-        <packageUrl regex="true">^pkg:maven/joda-time/joda-time@.*$</packageUrl>
-        <cve>CVE-2024-23080</cve>
-    </suppress>
 </suppressions>

android/test/test-suppression.xml

@@ -1,97 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-    <!--
-    CVEs in the e2e project are deemed less severe than CVEs in the main projects as CVEs in the e2e
-    project doesn't affect release or debug versions of the app.
-    -->
-    <suppress until="2023-06-01Z">
-        <notes><![CDATA[
-        This CVE is tracked externally and is therefore suppressed in the automatic audit checks.
-        ]]></notes>
-        <packageUrl regex="true">^pkg:maven/com\.google\.protobuf/protobuf\-java@.*$</packageUrl>
-        <cve>CVE-2022-3171</cve>
-        <cve>CVE-2022-3509</cve>
-        <cve>CVE-2022-3510</cve>
-        <cve>CVE-2021-22569</cve>
-    </suppress>
-    <suppress until="2023-06-01Z">
-        <notes><![CDATA[
-        These CVEs affects the Apache Commons Net's FTP client that this app doesn't use.
-        https://www.openwall.com/lists/oss-security/2022/12/03/1
-
-        File names:
-        - commons-beanutils-1.9.4.jar
-        - commons-collections-3.2.2.jar
-        - commons-digester-2.1.jar
-        - commons-logging-1.2.jar
-        - commons-validator-1.7.jar
-        ]]></notes>
-        <packageUrl regex="true">^pkg:maven/commons\-.*/commons\-.*@.*$</packageUrl>
-        <cve>CVE-2021-37533</cve>
-    </suppress>
-    <suppress until="2023-06-01Z">
-        <notes><![CDATA[
-        This CVE is tracked externally and is therefore suppressed in the automatic audit checks.
-        https://nvd.nist.gov/vuln/detail/CVE-2021-29425
-
-        File name: commons-io-2.4.jar
-        ]]></notes>
-        <packageUrl regex="true">^pkg:maven/commons\-io/commons\-io@.*$</packageUrl>
-        <cve>CVE-2021-29425</cve>
-    </suppress>
-    <suppress until="2023-06-01Z">
-        <notes><![CDATA[
-        These CVEs are tracked externally and is therefore suppressed in the automatic audit checks.
-        ]]></notes>
-        <packageUrl regex="true">^pkg:maven/io\.netty/netty\-.*@.*$</packageUrl>
-        <cve>CVE-2021-37136</cve>
-        <cve>CVE-2021-37137</cve>
-        <cve>CVE-2021-43797</cve>
-        <cve>CVE-2021-21295</cve>
-        <cve>CVE-2021-21409</cve>
-        <cve>CVE-2021-21290</cve>
-        <cve>CVE-2022-24823</cve>
-        <cve>CVE-2022-41881</cve>
-        <cve>CVE-2022-41915</cve>
-    </suppress>
-    <suppress until="2023-06-01Z">
-        <notes><![CDATA[
-        This CVE is tracked externally and is therefore suppressed in the automatic audit checks.
-        https://nvd.nist.gov/vuln/detail/CVE-2022-25647
-
-        File name: gson-2.8.6.jar
-        ]]></notes>
-        <packageUrl regex="true">^pkg:maven/com\.google\.code\.gson/gson@.*$</packageUrl>
-        <cve>CVE-2022-25647</cve>
-    </suppress>
-    <suppress until="2023-06-01Z">
-        <notes><![CDATA[
-        This CVE only affect Multiplatform Gradle Projects, which this project is not.
-        https://nvd.nist.gov/vuln/detail/CVE-2022-24329
-        ]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.jetbrains\.kotlin/kotlin\-stdlib.*@.*$</packageUrl>
-        <cve>CVE-2022-24329</cve>
-    </suppress>
-    <suppress until="2023-06-01Z">
-        <notes><![CDATA[
-        This CVE is limited to processing of screenshots, which this app doesn't use.
-        https://nvd.nist.gov/vuln/detail/CVE-2021-4277
-
-        File name: legacy-support-core-utils-1.0.0.aar
-        ]]></notes>
-        <packageUrl regex="true">^pkg:maven/androidx\.legacy/legacy\-support\-core\-utils@.*$</packageUrl>
-        <cve>CVE-2021-4277</cve>
-    </suppress>
-    <suppress until="2023-06-01Z">
-        <notes><![CDATA[
-        This CVE is limited to processing of screenshots, which this app doesn't use.
-        https://nvd.nist.gov/vuln/detail/CVE-2021-4277
-
-        File name: common-30.3.1.jar
-        ]]></notes>
-        <packageUrl regex="true">^pkg:maven/com\.android\.tools/common@.*$</packageUrl>
-        <cve>CVE-2021-4277</cve>
-    </suppress>
     <suppress until="2024-06-01Z">
         <notes><![CDATA[
         This CVE only affect the leakCanary build type which is limited to memory leak testing etc.
@@ -102,14 +10,6 @@
         <packageUrl regex="true">^pkg:maven/com\.squareup\.okio/okio.*@.*$</packageUrl>
         <cve>CVE-2023-3635</cve>
     </suppress>
-    <suppress until="2023-12-01Z">
-        <notes><![CDATA[
-        This CVE only affect certain test cases so suppressing until patched.
-        https://nvd.nist.gov/vuln/detail/CVE-2023-3782
-        ]]></notes>
-        <packageUrl regex="true">^pkg:maven/com\.squareup\.okhttp3/.*@.*$</packageUrl>
-        <cve>CVE-2023-3782</cve>
-    </suppress>
     <suppress until="2024-09-01Z">
         <notes><![CDATA[
             False-positive related to Drupal rather than Android development.
@@ -118,13 +18,4 @@
         <packageUrl regex="true">^pkg:maven/androidx\.test\.services/storage@.*$</packageUrl>
         <cve>CVE-2014-9152</cve>
     </suppress>
-    <suppress until="2024-05-01Z">
-        <notes><![CDATA[
-            Suppressing since the affected function isn't used in this project. No upstream fixes
-            are available at the time of adding this suppression.
-            https://nvd.nist.gov/vuln/detail/CVE-2024-23080
-        ]]></notes>
-        <packageUrl regex="true">^pkg:maven/joda-time/joda-time@.*$</packageUrl>
-        <cve>CVE-2024-23080</cve>
-    </suppress>
 </suppressions>