forked from codice/alliance
-
Notifications
You must be signed in to change notification settings - Fork 0
/
dependency-check-maven-config.xml
107 lines (93 loc) · 3.69 KB
/
dependency-check-maven-config.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression">
<suppress>
<notes><![CDATA[
These are false positives that identify catalog-core-urlresourcereader and
spatial-ogc-urlresourcereader as a "Yourfreeworld.com short URL & URL tracker script" library
]]></notes>
<gav regex="true">^((ddf\.catalog\.core:catalog-core-)|(org.codice.ddf.spatial:spatial-ogc-))urlresourcereader:.*$</gav>
<cve>CVE-2006-6460</cve>
</suppress>
<suppress>
<notes><![CDATA[
This dependency is mistakenly identified as an Email-Address module for Perl, but it's not.
It's a pure Java email address validator/parser that only depends on javax.mail
]]></notes>
<gav regex="true">^com\.github\.bbottema:emailaddress-rfc2822:.*$</gav>
<cve>CVE-2015-7686</cve>
</suppress>
<suppress>
<notes><![CDATA[
This CVE was already suppressed in DDF (https://github.com/codice/ddf/pull/2062), but it
shows up again because of embed-dependency making the gav regex no longer match
The same suppression still applies
]]></notes>
<gav regex="true">^ddf\.platform:platform-http-proxy:.*$</gav>
<cve>CVE-2017-3159</cve>
</suppress>
<suppress>
<notes><![CDATA[
These CVEs were suppressed in DDF (https://github.com/codice/ddf/pull/2728), but they showed
up again because of embed-dependency making the gav regex no longer match
The same suppression still applies
]]></notes>
<gav regex="true">^ddf\.platform:platform-http-proxy:.*$</gav>
<cve>CVE-2017-12633</cve>
<cve>CVE-2017-12634</cve>
</suppress>
<suppress>
<notes><![CDATA[
CVE-2011-2730 is related to a vulnerability in the VMware SpringSource Spring Framework,
where OWASP flags jars that are unrelated or have no dependency on Spring, so marking it
as a false positive.
]]></notes>
<cve>CVE-2011-2730</cve>
</suppress>
<suppress>
<notes>
These CVEs stem from kernel-2.12.0-SNAPSHOT.zip: pax-web-jsp-6.0.6.jar and its use in
Apache Tomcat. Because the system is not utilizing this library in a way that exposes
the vulnerabilities, these CVEs do not pose a risk.
</notes>
<cve>CVE-2009-3548</cve>
<cve>CVE-2011-3190</cve>
<cve>CVE-2013-2185</cve>
<cve>CVE-2014-0230</cve>
<cve>CVE-2016-5425</cve>
<cve>CVE-2016-6325</cve>
<cve>CVE-2016-8735</cve>
</suppress>
<suppress>
<notes>
These CVEs are not an issue since the software is not exposing STOMP over WebSocket
endpoints.
</notes>
<cve>CVE-2018-1270</cve>
<cve>CVE-2018-1275</cve>
</suppress>
<suppress>
<notes>
These CVEs affect Jetty 9.3.x up to 9.3.23 and 9.4.x up to 9.4.10. CAL is using a
version of jetty that does not fall within those ranges.
</notes>
<cve>CVE-2017-7658</cve>
<cve>CVE-2017-7657</cve>
</suppress>
<suppress>
<notes>FFMpeg vulnerabilities that don't affect our updated version</notes>
<cve>CVE-2009-0385</cve>
<cve>CVE-2011-4031</cve>
<cve>CVE-2005-4048</cve>
<cve>CVE-2018-1999012</cve>
</suppress>
<suppress>
<notes>
XXE vulnerability in the Karaf deploy folder, up to (including) Karaf 4.2.1. This is
mitigated by file system hardening.
</notes>
<cve>CVE-2018-11788</cve>
</suppress>
<suppress>
<cve>CVE-2017-8316</cve>
</suppress>
</suppressions>