cryptomator/suppression.xml

<?xml version="1.0" encoding="UTF-8"?>
<!-- This file lists false positives found by org.owasp:dependency-check-maven build plugin -->
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
	<suppress>
		<notes><![CDATA[ Suppress known vulnerabilities in FUSE libraries for fuse-nio-adapter. For more info, see suppression.xml of https://github.com/cryptomator/fuse-nio-adapter ]]></notes>
		<gav regex="true">^org\.cryptomator:fuse-nio-adapter:.*$</gav>
		<cvssBelow>9</cvssBelow>
	</suppress>
	<suppress>
		<notes><![CDATA[ Suppress known vulnerabilities in FUSE libraries for jfuse (dependency of fuse-nio-adapter). ]]></notes>
		<gav regex="true">^org\.cryptomator:jfuse.*$</gav>
		<cvssBelow>9</cvssBelow>
	</suppress>

	<!-- Jetty false positives below -->
	<suppress>
		<notes><![CDATA[
		Suppress all for this javax.servlet api package:
		There are lots of false positives, simply because its version number is way beyond the remaining
		org.eclipse.jetty jar files. Note, that our actual Jetty version is different.

		As long as we don't suppress anything in org.eclipse.jetty:jetty-server or :jetty-servlet,
		vulnerabilities will still trigger if we actually use an outdated Jetty version.
		]]></notes>
		<gav>org.eclipse.jetty.toolchain:jetty-servlet-api:4.0.6</gav>
		<cpe regex="true">.*</cpe>
	</suppress>

	<suppress>
		<notes><![CDATA[
        Incorrectly matched CPE, see https://github.com/jeremylong/DependencyCheck/issues/4177git
      ]]></notes>
		<gav regex="true">^org\.cryptomator:.*$</gav>
		<cpe>cpe:/a:cryptomator:cryptomator</cpe>
		<cve>CVE-2022-25366</cve>
	</suppress>

	<!-- Apache Commons-cli false positives below -->
	<suppress>
		<notes><![CDATA[
		False positive for commons-cli due, see https://github.com/jeremylong/DependencyCheck/pull/4148
		]]></notes>
		<gav regex="true">^commons\-cli:commons\-cli:.*$</gav>
		<cpe>cpe:/a:apache:james</cpe>
		<!-- while we are at it exclude also these fp -->
		<cpe>cpe:/a:spirit-project:spirit</cpe>
		<cpe>cpe:/a:apache:commons_net</cpe>
	</suppress>

	<suppress>
		<notes><![CDATA[
		False positive for jackson-core-2.13.4.jar, see https://github.com/jeremylong/DependencyCheck/issues/5502
   ]]></notes>
		<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-core@.*$</packageUrl>
		<cve>CVE-2022-45688</cve>
	</suppress>

	<suppress>
		<notes><![CDATA[
		False positive for jackson-databind-2.14.2.jar, see https://github.com/FasterXML/jackson-databind/issues/3972
   ]]></notes>
		<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
		<cve>CVE-2023-35116</cve>
	</suppress>

	<suppress>
		<notes><![CDATA[
		False positive for jackrabbit-webdav-2.21.15.jar. This component is not affected, see https://lists.apache.org/thread/j03b3qdhborc2jrhdc4d765d3jkh8bfw
   ]]></notes>
		<packageUrl regex="true">^pkg:maven/org\.apache\.jackrabbit/jackrabbit\-webdav@.*$</packageUrl>
		<cve>CVE-2023-37895</cve>
	</suppress>
</suppressions>
Single maven module (#1676) combined all sources into single maven module 2021-06-04 18:09:10 +00:00			`<?xml version="1.0" encoding="UTF-8"?>`
			`<!-- This file lists false positives found by org.owasp:dependency-check-maven build plugin -->`
			`<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">`
			`<suppress>`
			`<notes><![CDATA[ Suppress known vulnerabilities in FUSE libraries for fuse-nio-adapter. For more info, see suppression.xml of https://github.com/cryptomator/fuse-nio-adapter ]]></notes>`
			`<gav regex="true">^org\.cryptomator:fuse-nio-adapter:.*$</gav>`
			`<cvssBelow>9</cvssBelow>`
			`</suppress>`
			`<suppress>`
adjust suppression.xml to jfuse 2022-11-07 15:17:50 +00:00			`<notes><![CDATA[ Suppress known vulnerabilities in FUSE libraries for jfuse (dependency of fuse-nio-adapter). ]]></notes>`
			`<gav regex="true">^org\.cryptomator:jfuse.*$</gav>`
Single maven module (#1676) combined all sources into single maven module 2021-06-04 18:09:10 +00:00			`<cvssBelow>9</cvssBelow>`
			`</suppress>`

			`<!-- Jetty false positives below -->`
			`<suppress>`
[Snyk] Security upgrade org.cryptomator:webdav-nio-adapter from 1.2.2 to 1.2.3 (#1698) * fix: pom.xml to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-ORGECLIPSEJETTY-1313686 * adjusted suppression config * bump webdav version Co-authored-by: Sebastian Stenzel <sebastian.stenzel@gmail.com> 2021-06-24 07:58:47 +00:00			`<notes><![CDATA[`
			`Suppress all for this javax.servlet api package:`
			`There are lots of false positives, simply because its version number is way beyond the remaining`
			`org.eclipse.jetty jar files. Note, that our actual Jetty version is different.`
Single maven module (#1676) combined all sources into single maven module 2021-06-04 18:09:10 +00:00
[Snyk] Security upgrade org.cryptomator:webdav-nio-adapter from 1.2.2 to 1.2.3 (#1698) * fix: pom.xml to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-ORGECLIPSEJETTY-1313686 * adjusted suppression config * bump webdav version Co-authored-by: Sebastian Stenzel <sebastian.stenzel@gmail.com> 2021-06-24 07:58:47 +00:00			`As long as we don't suppress anything in org.eclipse.jetty:jetty-server or :jetty-servlet,`
			`vulnerabilities will still trigger if we actually use an outdated Jetty version.`
			`]]></notes>`
Single maven module (#1676) combined all sources into single maven module 2021-06-04 18:09:10 +00:00			`<gav>org.eclipse.jetty.toolchain:jetty-servlet-api:4.0.6</gav>`
[Snyk] Security upgrade org.cryptomator:webdav-nio-adapter from 1.2.2 to 1.2.3 (#1698) * fix: pom.xml to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-ORGECLIPSEJETTY-1313686 * adjusted suppression config * bump webdav version Co-authored-by: Sebastian Stenzel <sebastian.stenzel@gmail.com> 2021-06-24 07:58:47 +00:00			`<cpe regex="true">.*</cpe>`
Single maven module (#1676) combined all sources into single maven module 2021-06-04 18:09:10 +00:00			`</suppress>`
supress false positive in dependency-check plugin 2022-03-16 14:08:09 +00:00
			`<suppress>`
			`<notes><![CDATA[`
			`Incorrectly matched CPE, see https://github.com/jeremylong/DependencyCheck/issues/4177git`
			`]]></notes>`
			`<gav regex="true">^org\.cryptomator:.*$</gav>`
			`<cpe>cpe:/a:cryptomator:cryptomator</cpe>`
			`<cve>CVE-2022-25366</cve>`
			`</suppress>`

Update dependency-check plugin and exclude false positive 2022-12-07 13:17:42 +00:00			`<!-- Apache Commons-cli false positives below -->`
supress false positive in dependency-check plugin 2022-03-16 14:08:09 +00:00			`<suppress>`
			`<notes><![CDATA[`
bump dependency-check 2023-02-27 11:17:47 +00:00			`False positive for commons-cli due, see https://github.com/jeremylong/DependencyCheck/pull/4148`
supress false positive in dependency-check plugin 2022-03-16 14:08:09 +00:00			`]]></notes>`
			`<gav regex="true">^commons\-cli:commons\-cli:.*$</gav>`
			`<cpe>cpe:/a:apache:james</cpe>`
Update dependency-check plugin and exclude false positive 2022-12-07 13:17:42 +00:00			`<!-- while we are at it exclude also these fp -->`
supress false positive in dependency-check plugin 2022-03-16 14:08:09 +00:00			`<cpe>cpe:/a:spirit-project:spirit</cpe>`
Update dependency-check plugin and exclude false positive 2022-12-07 13:17:42 +00:00			`<cpe>cpe:/a:apache:commons_net</cpe>`
supress false positive in dependency-check plugin 2022-03-16 14:08:09 +00:00			`</suppress>`
suppress false positive 2023-02-27 11:19:13 +00:00
			`<suppress>`
			`<notes><![CDATA[`
			`False positive for jackson-core-2.13.4.jar, see https://github.com/jeremylong/DependencyCheck/issues/5502`
			`]]></notes>`
			`<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-core@.*$</packageUrl>`
			`<cve>CVE-2022-45688</cve>`
			`</suppress>`

Suppress a CVE false-positive for jackson-databind 2.14.2 Also see https://github.com/cryptomator/cryptomator/pull/2961#issuecomment-1597652134. 2023-06-19 20:31:50 +00:00			`<suppress>`
			`<notes><![CDATA[`
			`False positive for jackson-databind-2.14.2.jar, see https://github.com/FasterXML/jackson-databind/issues/3972`
			`]]></notes>`
			`<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>`
			`<cve>CVE-2023-35116</cve>`
			`</suppress>`

suppress false positive in dependecy-check (jackrabbit-webdav) 2023-08-04 15:01:19 +00:00			`<suppress>`
			`<notes><![CDATA[`
			`False positive for jackrabbit-webdav-2.21.15.jar. This component is not affected, see https://lists.apache.org/thread/j03b3qdhborc2jrhdc4d765d3jkh8bfw`
			`]]></notes>`
			`<packageUrl regex="true">^pkg:maven/org\.apache\.jackrabbit/jackrabbit\-webdav@.*$</packageUrl>`
			`<cve>CVE-2023-37895</cve>`
			`</suppress>`
Suppress a CVE false-positive for jackson-databind 2.14.2 Also see https://github.com/cryptomator/cryptomator/pull/2961#issuecomment-1597652134. 2023-06-19 20:31:50 +00:00			`</suppressions>`