Skip to content

Commit 6ae0396

Browse files
rjeberhardrjeberhard
committed
Update OWASP suppression file
1 parent b2443bb commit 6ae0396

File tree

2 files changed

+15
-25
lines changed

2 files changed

+15
-25
lines changed

build-tools/dependency-check/dependency-check-suppression.xml

Lines changed: 14 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -1,29 +1,5 @@
11
<?xml version="1.0" encoding="UTF-8"?>
22
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
3-
<suppress>
4-
<packageUrl regex="true">^pkg:maven/jakarta\.ws\.rs/jakarta\.ws\.rs-api@.*$</packageUrl>
5-
<cpe>cpe:/a:eclipse:eclipse_ide</cpe>
6-
</suppress>
7-
<suppress>
8-
<packageUrl regex="true">^pkg:maven/io\.kubernetes/client\-java@.*$</packageUrl>
9-
<cpe>cpe:/a:kubernetes:kubernetes</cpe>
10-
</suppress>
11-
<suppress>
12-
<packageUrl regex="true">^pkg:maven/io\.kubernetes/client\-java\-api@.*$</packageUrl>
13-
<cpe>cpe:/a:kubernetes:kubernetes</cpe>
14-
</suppress>
15-
<suppress>
16-
<packageUrl regex="true">^pkg:maven/io\.kubernetes/client\-java\-api\-fluent@.*$</packageUrl>
17-
<cpe>cpe:/a:kubernetes:kubernetes</cpe>
18-
</suppress>
19-
<suppress>
20-
<packageUrl regex="true">^pkg:maven/io\.kubernetes/client\-java\-proto@.*$</packageUrl>
21-
<cpe>cpe:/a:kubernetes:kubernetes</cpe>
22-
</suppress>
23-
<suppress>
24-
<packageUrl regex="true">^pkg:maven/com\.google\.protobuf/protobuf\-java@.*$</packageUrl>
25-
<cpe>cpe:/a:google:protobuf-java</cpe>
26-
</suppress>
273
<suppress>
284
<packageUrl regex="true">^pkg:maven/oracle\.kubernetes/weblogic\-kubernetes\-operator@.*$</packageUrl>
295
<cpe>cpe:/a:kubernetes:kubernetes</cpe>
@@ -44,4 +20,18 @@
4420
<packageUrl regex="true">^pkg:maven/oracle\.kubernetes/json\-schema@.*$</packageUrl>
4521
<cpe>cpe:/a:kubernetes:kubernetes</cpe>
4622
</suppress>
23+
<suppress>
24+
<notes><![CDATA[
25+
This CVE has been resolved by not using the vulnerable constructor and by updating all dependencies that use SnakeYAML to versions that also do not use the vulnerable constructor.
26+
]]></notes>
27+
<packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
28+
<vulnerabilityName>CVE-2022-1471</vulnerabilityName>
29+
</suppress>
30+
<suppress>
31+
<notes><![CDATA[
32+
This CVE is in dispute for the very reason that it does not apply to us. We do not use databind for processing protocol data, but use it to write our own objects.
33+
]]></notes>
34+
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson-databind@.*$</packageUrl>
35+
<vulnerabilityName>CVE-2023-35116</vulnerabilityName>
36+
</suppress>
4737
</suppressions>

pom.xml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -292,7 +292,7 @@
292292
<configuration>
293293
<skip>${skip.dependency-check}</skip>
294294
<skipTestScope>true</skipTestScope>
295-
<failBuildOnAnyVulnerability>false</failBuildOnAnyVulnerability>
295+
<failBuildOnCVSS>0</failBuildOnCVSS>
296296
<assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
297297
<formats>
298298
<format>HTML</format>

0 commit comments

Comments
 (0)