Suppress CVE-2024-7254

Pururun · albin-mullvad · commit 4d571edcf3d9 · 2024-09-23T10:35:12.000+02:00
diff --git a/android/config/dependency-check-suppression.xml b/android/config/dependency-check-suppression.xml
@@ -40,4 +40,13 @@
         <packageUrl regex="true">^pkg:maven/commons\-validator/commons\-validator@.*$</packageUrl>
         <cve>CVE-2021-3765</cve>
     </suppress>
+    <suppress until="2024-12-01Z">
+        <notes><![CDATA[
+            Denial of service using protobuf.
+            Should not be applicable since client and server are always in sync and we are only
+            communicating locally over UDS.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.google\.protobuf/protobuf-.*@.*$</packageUrl>
+        <cve>CVE-2024-7254</cve>
+    </suppress>
 </suppressions>
diff --git a/android/gradle/osv-scanner.toml b/android/gradle/osv-scanner.toml
@@ -68,6 +68,11 @@ id = "CVE-2022-24329" # GHSA-2qp4-g3q3-f92w
 ignoreUntil = 2024-11-02
 reason = "This CVE only affect Multiplatform Gradle Projects, which this project is not."
 
+[[IgnoredVulns]]
+id = "CVE-2024-7254" # GHSA-735f-pc8j-v9w8
+ignoreUntil = 2024-11-02
+reason = "Should not be applicable since client and server are always in sync and we are only communicating locally over UDS."
+
 [[PackageOverrides]]
 name = "org.bouncycastle:bcprov-jdk15on"
 ecosystem = "Maven"
diff --git a/android/test/test-suppression.xml b/android/test/test-suppression.xml
@@ -17,4 +17,13 @@
         <cve>CVE-2023-33953</cve>
         <cve>CVE-2023-44487</cve>
     </suppress>
+    <suppress until="2024-12-01Z">
+        <notes><![CDATA[
+            Denial of service using protobuf.
+            Should not be applicable since client and server are always in sync and we are only
+            communicating locally over UDS.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.google\.protobuf/protobuf-.*@.*$</packageUrl>
+        <cve>CVE-2024-7254</cve>
+    </suppress>
 </suppressions>
