-
Notifications
You must be signed in to change notification settings - Fork 153
/
Copy pathowasp-suppression.xml
141 lines (123 loc) · 4.2 KB
/
owasp-suppression.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<!--
https://nvd.nist.gov/vuln/detail/CVE-2018-1258
Vulnerability only applies to old spring-framework versions.
-->
<suppress>
<cve>CVE-2018-1258</cve>
<cve>CVE-2013-4152</cve>
<cve>CVE-2013-7315</cve>
<cve>CVE-2014-0054</cve>
<cve>CVE-2016-1000027</cve>
<cve>CVE-2018-11039</cve>
<cve>CVE-2018-11040</cve>
<cve>CVE-2018-1257</cve>
<cve>CVE-2020-5421</cve>
<cve>CVE-2022-22950</cve>
<cve>CVE-2022-22965</cve>
<cve>CVE-2022-22968</cve>
<cve>CVE-2022-22970</cve>
<cve>CVE-2022-22976</cve>
<cve>CVE-2022-22978</cve>
<cve>CVE-2019-3772</cve>
<cve>CVE-2022-27772</cve>
<cve>CVE-2020-5408</cve>
</suppress>
<!--
https://nvd.nist.gov/vuln/detail/CVE-2021-22112
Only applies if using Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE,
we are using 5.3.9.
-->
<suppress>
<notes><![CDATA[
file name: spring-security-jwt-1.1.1.RELEASE.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-jwt@.*$</packageUrl>
<cve>CVE-2021-22112</cve>
</suppress>
<!--
https://nvd.nist.gov/vuln/detail/CVE-2020-14359
Only applies to Keycloak-gatekeeper not the keycloak libraries.
-->
<suppress>
<cve>CVE-2020-14359</cve>
</suppress>
<!--
https://nvd.nist.gov/vuln/detail/CVE-2020-14359
Only applies to Keycloak (server) not the keycloak libraries.
-->
<suppress>
<cve>CVE-2021-20323</cve>
<cve>CVE-2021-3632</cve>
<cve>CVE-2021-3637</cve>
<cve>CVE-2021-3827</cve>
<cve>CVE-2021-3856</cve>
<cve>CVE-2021-4133</cve>
<cve>CVE-2022-1245</cve>
<cve>CVE-2022-1466</cve>
</suppress>
<!--
https://nvd.nist.gov/vuln/detail/CVE-2020-8908
Only applies if using com.google.common.io.Files.createTempDir().
We are not using this function directly. We are dependent on our library to remove the usage of this method.
(the method is not fixed/removed from Guava so updating has no influence)
-->
<suppress>
<cve>CVE-2020-8908</cve>
</suppress>
<!--
https://nvd.nist.gov/vuln/detail/CVE-2020-8554
Only applies to Kubernetes API server not the kubernetes libraries.
-->
<suppress>
<cve>CVE-2020-8554</cve>
</suppress>
<!--
Only applies to the official Kubernetes Java client, not the client from fabric8io we are using.
-->
<suppress>
<cve>CVE-2020-8570</cve>
</suppress>
<suppress>
<!--
https://nvd.nist.gov/vuln/detail/CVE-2021-29425
Only applies to Apache Commons IO before 2.7, but we are using 2.7. (however somewhere this version is referred).
-->
<cve>CVE-2021-29425</cve>
<!-- Applies to commons-net, but this is not used -->
<cve>CVE-2021-37533</cve>
</suppress>
<!--
https://tanzu.vmware.com/security/cve-2015-5258
Only applies to springframework-social before 1.1.3, but we are using 1.1.6 (however somewhere this version is referred).
-->
<suppress>
<cve>CVE-2015-5258</cve>
</suppress>
<!-- Only applies to old Undertow/Jboss versions -->
<suppress>
<cve>CVE-2016-7046</cve>
<cve>CVE-2016-6311</cve>
</suppress>
<!-- H2: not relevant -->
<suppress>
<cve>CVE-2022-45868</cve>
</suppress>
<!-- xercesImpl: not related to xercesImpl-->
<suppress>
<cve>CVE-2017-10355</cve>
</suppress>
<suppress>
<!-- Related to nim lang, not Java-->
<cve>CVE-2020-23171</cve>
</suppress>
<suppress>
<!-- Not applicable, Spring does not accept requests without Host header -->
<cve>CVE-2016-6311</cve>
</suppress>
<suppress>
<!-- Disputed by developers, not relevant for ShinyProxy -->
<cve>CVE-2023-35116</cve>
</suppress>
</suppressions>