-
Notifications
You must be signed in to change notification settings - Fork 5
/
dependency-check-suppression.xml
33 lines (33 loc) · 1.66 KB
/
dependency-check-suppression.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<!-- Java deserialization is not used for untrusted data, remote data is exclusively XML. //-->
<suppress>
<notes><![CDATA[
file name: spring-web-5.3.27.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework/spring\-web@.*$</packageUrl>
<cve>CVE-2016-1000027</cve>
</suppress>
<!-- YAML parsing is not used for untrusted data, remote data is exclusively XML. //-->
<suppress>
<notes><![CDATA[
file name: snakeyaml-1.30.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
<vulnerabilityName>CVE-2022-1471</vulnerabilityName>
<vulnerabilityName>CVE-2022-25857</vulnerabilityName>
<vulnerabilityName>CVE-2022-38749</vulnerabilityName>
<vulnerabilityName>CVE-2022-38751</vulnerabilityName>
<vulnerabilityName>CVE-2022-38752</vulnerabilityName>
<vulnerabilityName>CVE-2022-41854</vulnerabilityName>
<vulnerabilityName>CVE-2022-38750</vulnerabilityName>
</suppress>
<!-- Problem exists for specially crafted objects that use cyclic dependencies. The steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker. -->
<suppress>
<notes><![CDATA[
file name: jackson-databind-2.13.5.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
<cve>CVE-2023-35116</cve>
</suppress>
</suppressions>