forked from codice/alliance
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdependency-check-maven-config.xml
54 lines (46 loc) · 2.07 KB
/
dependency-check-maven-config.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression">
<suppress>
<notes><![CDATA[
These are false positives that identify catalog-core-urlresourcereader and
spatial-ogc-urlresourcereader as a "Yourfreeworld.com short URL & URL tracker script" library
]]></notes>
<gav regex="true">^((ddf\.catalog\.core:catalog-core-)|(org.codice.ddf.spatial:spatial-ogc-))urlresourcereader:.*$</gav>
<cve>CVE-2006-6460</cve>
</suppress>
<suppress>
<notes><![CDATA[
This dependency is mistakenly identified as an Email-Address module for Perl, but it's not.
It's a pure Java email address validator/parser that only depends on javax.mail
]]></notes>
<gav regex="true">^com\.github\.bbottema:emailaddress-rfc2822:.*$</gav>
<cve>CVE-2015-7686</cve>
</suppress>
<suppress>
<notes><![CDATA[
This CVE was already suppressed in DDF (https://github.com/codice/ddf/pull/2062), but it
shows up again because of embed-dependency making the gav regex no longer match
The same suppression still applies
]]></notes>
<gav regex="true">^ddf\.platform:platform-http-proxy:.*$</gav>
<cve>CVE-2017-3159</cve>
</suppress>
<suppress>
<notes><![CDATA[
These CVEs were suppressed in DDF (https://github.com/codice/ddf/pull/2728), but they showed
up again because of embed-dependency making the gav regex no longer match
The same suppression still applies
]]></notes>
<gav regex="true">^ddf\.platform:platform-http-proxy:.*$</gav>
<cve>CVE-2017-12633</cve>
<cve>CVE-2017-12634</cve>
</suppress>
<suppress>
<notes><![CDATA[
CVE-2011-2730 is related to a vulnerability in the VMware SpringSource Spring Framework,
where OWASP flags jars that are unrelated or have no dependency on Spring, so marking it
as a false positive.
]]></notes>
<cve>CVE-2011-2730</cve>
</suppress>
</suppressions>