mirror of
https://github.com/cryptomator/cryptomator.git
synced 2024-11-27 05:50:26 +00:00
8e902877a3
(cherry picked from commit ebcd0adf78
)
49 lines
2.0 KiB
XML
49 lines
2.0 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!-- This file lists false positives found by org.owasp:dependency-check-maven build plugin -->
|
|
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
|
|
<suppress>
|
|
<notes><![CDATA[ Suppress known vulnerabilities in FUSE libraries for fuse-nio-adapter. For more info, see suppression.xml of https://github.com/cryptomator/fuse-nio-adapter ]]></notes>
|
|
<gav regex="true">^org\.cryptomator:fuse-nio-adapter:.*$</gav>
|
|
<cvssBelow>9</cvssBelow>
|
|
</suppress>
|
|
<suppress>
|
|
<notes><![CDATA[ Suppress known vulnerabilities in FUSE libraries for jfuse (dependency of fuse-nio-adapter). ]]></notes>
|
|
<gav regex="true">^org\.cryptomator:jfuse.*$</gav>
|
|
<cvssBelow>9</cvssBelow>
|
|
</suppress>
|
|
|
|
<!-- Jetty false positives below -->
|
|
<suppress>
|
|
<notes><![CDATA[
|
|
Suppress all for this javax.servlet api package:
|
|
There are lots of false positives, simply because its version number is way beyond the remaining
|
|
org.eclipse.jetty jar files. Note, that our actual Jetty version is different.
|
|
|
|
As long as we don't suppress anything in org.eclipse.jetty:jetty-server or :jetty-servlet,
|
|
vulnerabilities will still trigger if we actually use an outdated Jetty version.
|
|
]]></notes>
|
|
<gav>org.eclipse.jetty.toolchain:jetty-servlet-api:4.0.6</gav>
|
|
<cpe regex="true">.*</cpe>
|
|
</suppress>
|
|
|
|
<suppress>
|
|
<notes><![CDATA[
|
|
Incorrectly matched CPE, see https://github.com/jeremylong/DependencyCheck/issues/4177git
|
|
]]></notes>
|
|
<gav regex="true">^org\.cryptomator:.*$</gav>
|
|
<cpe>cpe:/a:cryptomator:cryptomator</cpe>
|
|
<cve>CVE-2022-25366</cve>
|
|
</suppress>
|
|
|
|
<!-- Apache Commons-cli false positives below -->
|
|
<suppress>
|
|
<notes><![CDATA[
|
|
False positive for commons-cli due, see https://github.com/jeremylong/DependencyCheck/pull/4148
|
|
]]></notes>
|
|
<gav regex="true">^commons\-cli:commons\-cli:.*$</gav>
|
|
<cpe>cpe:/a:apache:james</cpe>
|
|
<!-- while we are at it exclude also these fp -->
|
|
<cpe>cpe:/a:spirit-project:spirit</cpe>
|
|
<cpe>cpe:/a:apache:commons_net</cpe>
|
|
</suppress>
|
|
</suppressions> |