mirror of
https://github.com/cryptomator/cryptomator.git
synced 2024-11-23 20:19:41 +00:00
74 lines
3.0 KiB
XML
74 lines
3.0 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!-- This file lists false positives found by org.owasp:dependency-check-maven build plugin -->
|
|
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
|
|
<suppress>
|
|
<notes><![CDATA[ Suppress known vulnerabilities in FUSE libraries for fuse-nio-adapter. For more info, see suppression.xml of https://github.com/cryptomator/fuse-nio-adapter ]]></notes>
|
|
<gav regex="true">^org\.cryptomator:fuse-nio-adapter:.*$</gav>
|
|
<cvssBelow>9</cvssBelow>
|
|
</suppress>
|
|
<suppress>
|
|
<notes><![CDATA[ Suppress known vulnerabilities in FUSE libraries for jfuse (dependency of fuse-nio-adapter). ]]></notes>
|
|
<gav regex="true">^org\.cryptomator:jfuse.*$</gav>
|
|
<cvssBelow>9</cvssBelow>
|
|
</suppress>
|
|
|
|
<!-- Jetty false positives below -->
|
|
<suppress>
|
|
<notes><![CDATA[
|
|
Suppress all for this javax.servlet api package:
|
|
There are lots of false positives, simply because its version number is way beyond the remaining
|
|
org.eclipse.jetty jar files. Note, that our actual Jetty version is different.
|
|
|
|
As long as we don't suppress anything in org.eclipse.jetty:jetty-server or :jetty-servlet,
|
|
vulnerabilities will still trigger if we actually use an outdated Jetty version.
|
|
]]></notes>
|
|
<gav>org.eclipse.jetty.toolchain:jetty-servlet-api:4.0.6</gav>
|
|
<cpe regex="true">.*</cpe>
|
|
</suppress>
|
|
|
|
<suppress>
|
|
<notes><![CDATA[
|
|
Incorrectly matched CPE, see https://github.com/jeremylong/DependencyCheck/issues/4177git
|
|
]]></notes>
|
|
<gav regex="true">^org\.cryptomator:.*$</gav>
|
|
<cpe>cpe:/a:cryptomator:cryptomator</cpe>
|
|
<cve>CVE-2022-25366</cve>
|
|
</suppress>
|
|
|
|
<!-- Apache Commons-cli false positives below -->
|
|
<suppress>
|
|
<notes><![CDATA[
|
|
False positive for commons-cli due, see https://github.com/jeremylong/DependencyCheck/pull/4148
|
|
]]></notes>
|
|
<gav regex="true">^commons\-cli:commons\-cli:.*$</gav>
|
|
<cpe>cpe:/a:apache:james</cpe>
|
|
<!-- while we are at it exclude also these fp -->
|
|
<cpe>cpe:/a:spirit-project:spirit</cpe>
|
|
<cpe>cpe:/a:apache:commons_net</cpe>
|
|
</suppress>
|
|
|
|
<suppress>
|
|
<notes><![CDATA[
|
|
False positive for jackson-core-2.13.4.jar, see https://github.com/jeremylong/DependencyCheck/issues/5502
|
|
]]></notes>
|
|
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-core@.*$</packageUrl>
|
|
<cve>CVE-2022-45688</cve>
|
|
</suppress>
|
|
|
|
<suppress>
|
|
<notes><![CDATA[
|
|
False positive for jackson-databind-2.14.2.jar, see https://github.com/FasterXML/jackson-databind/issues/3972
|
|
]]></notes>
|
|
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
|
|
<cve>CVE-2023-35116</cve>
|
|
</suppress>
|
|
|
|
<suppress>
|
|
<notes><![CDATA[
|
|
False positive for jackrabbit-webdav-2.21.15.jar. This component is not affected, see https://lists.apache.org/thread/j03b3qdhborc2jrhdc4d765d3jkh8bfw
|
|
]]></notes>
|
|
<packageUrl regex="true">^pkg:maven/org\.apache\.jackrabbit/jackrabbit\-webdav@.*$</packageUrl>
|
|
<cve>CVE-2023-37895</cve>
|
|
</suppress>
|
|
</suppressions>
|