forked from openrewrite/rewrite-maven-plugin
-
Notifications
You must be signed in to change notification settings - Fork 0
/
suppressions.xml
124 lines (124 loc) · 5.17 KB
/
suppressions.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress>
<notes><![CDATA[
file name: netty-transport-classes-epoll-4.1.94.Final.jar
]]></notes>
<cve>CVE-2023-44487</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: netty-transport-classes-epoll-4.1.94.Final.jar
]]></notes>
<cve>CVE-2023-4586</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: rewrite-kotlin-1.6.0-SNAPSHOT.jar
]]></notes>
<cve>CVE-2023-30853</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: jackson-databind-2.15.2.jar
This is not a really valid CVE and not really exploitable as Java code needs to be modified: https://github.com/FasterXML/jackson-databind/issues/3972
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
<cve>CVE-2023-35116</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: jackson-databind-2.15.2.jar
The CVE https://nvd.nist.gov/vuln/detail/CVE-2019-3826 does not actually pertain to the Micrometer Prometheus client, but Prometheus itself
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.micrometer\.prometheus/prometheus\-rsocket\-client@.*$</packageUrl>
<cve>CVE-2019-3826</cve>
</suppress>
<suppress until="2024-12-13Z">
<notes><![CDATA[
file name: guava-31.1-jre.jar
Reverted in https://github.com/openrewrite/rewrite-python/commit/f487df7dabb8588ae2edb17e31ff7b8ba3ffc133 because Guava 32 introduces gradle module metadata which causes downstream breakage in build plugins.
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.google\.guava/[email protected]$</packageUrl>
<cve>CVE-2023-2976</cve>
<cve>CVE-2020-8908</cve>
</suppress>
<suppress until="2024-10-27Z">
<notes><![CDATA[
file name: snappy-java-1.1.10.1.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.xerial\.snappy/snappy\-java@.*$</packageUrl>
<cve>CVE-2023-43642</cve>
</suppress>
<suppress until="2024-12-13Z">
<notes><![CDATA[
file name: rewrite-core-8.6.0-SNAPSHOT.jar (shaded: org.eclipse.jgit:org.eclipse.jgit:5.13.2.202306221912-r)
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.eclipse\.jgit/org\.eclipse\.jgit@.*$</packageUrl>
<vulnerabilityName>CVE-2023-4759</vulnerabilityName>
</suppress>
<suppress until="2024-12-13Z">
<notes><![CDATA[
file name: plexus-cipher-2.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus\-cipher@.*$</packageUrl>
<cve>CVE-2022-4244</cve>
<cve>CVE-2022-4245</cve>
</suppress>
<suppress until="2024-12-13Z">
<notes><![CDATA[
file name: plexus-classworlds-2.7.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus\-classworlds@.*$</packageUrl>
<cve>CVE-2022-4244</cve>
<cve>CVE-2022-4245</cve>
</suppress>
<suppress until="2024-12-13Z">
<notes><![CDATA[
file name: plexus-component-annotations-2.1.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus\-component\-annotations@.*$</packageUrl>
<cve>CVE-2022-4244</cve>
<cve>CVE-2022-4245</cve>
</suppress>
<suppress until="2024-12-13Z">
<notes><![CDATA[
file name: plexus-interactivity-api-1.1.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus\-interactivity\-api@.*$</packageUrl>
<cve>CVE-2022-4244</cve>
<cve>CVE-2022-4245</cve>
</suppress>
<suppress until="2024-12-13Z">
<notes><![CDATA[
file name: plexus-interpolation-1.26.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus\-interpolation@.*$</packageUrl>
<cve>CVE-2022-4244</cve>
<cve>CVE-2022-4245</cve>
</suppress>
<suppress until="2024-12-13Z">
<notes><![CDATA[
file name: plexus-sec-dispatcher-2.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus\-sec\-dispatcher@.*$</packageUrl>
<cve>CVE-2022-4244</cve>
<cve>CVE-2022-4245</cve>
</suppress>
<suppress until="2024-12-13Z">
<notes><![CDATA[
file name: netty-transport-4.1.94.Final.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.netty/netty\-transport@.*$</packageUrl>
<cve>CVE-2023-4586</cve>
<cve>CVE-2023-44487</cve>
</suppress>
<suppress until="2024-12-13Z">
<notes><![CDATA[
file name: reactor-netty-core-1.0.32.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.projectreactor\.netty/reactor\-netty\-core@.*$</packageUrl>
<cve>CVE-2023-34054</cve>
<cve>CVE-2023-34062</cve>
</suppress>
</suppressions>