-
Notifications
You must be signed in to change notification settings - Fork 336
/
dependency-check-suppression.xml
52 lines (52 loc) · 2.29 KB
/
dependency-check-suppression.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress until="2024-11-01Z">
<notes><![CDATA[
This CVE only affect Multiplatform Gradle Projects, which this project is not.
https://nvd.nist.gov/vuln/detail/CVE-2022-24329
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.jetbrains\.kotlin/kotlin\-stdlib.*@.*$</packageUrl>
<cve>CVE-2022-24329</cve>
</suppress>
<suppress until="2024-12-01Z">
<notes><![CDATA[
This CVE only affect programs using loadXML and is derived from using ksp.
We do not use the loadXML, ksp is used to generate navigation paths in our code
and not for processesing any user input.
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.google\.devtools\.ksp/symbol\-processing.*@.*$</packageUrl>
<cve>CVE-2018-1000840</cve>
</suppress>
<suppress until="2024-12-01Z">
<notes><![CDATA[
False-positive only affecting javascript gRPC packages.
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.grpc/protoc\-gen\-grpc\-kotlin@.*$</packageUrl>
<cve>CVE-2020-7768</cve>
</suppress>
<suppress until="2024-12-01Z">
<notes><![CDATA[
No impact on this app since it uses UDS rather than HTTP2.
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.grpc/.*@.*$</packageUrl>
<cve>CVE-2023-32732</cve>
<cve>CVE-2023-33953</cve>
<cve>CVE-2023-44487</cve>
</suppress>
<suppress until="2024-12-26Z">
<notes><![CDATA[
False-positive related to a NodeJS library and not the one we use.
]]></notes>
<packageUrl regex="true">^pkg:maven/commons\-validator/commons\-validator@.*$</packageUrl>
<cve>CVE-2021-3765</cve>
</suppress>
<suppress until="2024-12-01Z">
<notes><![CDATA[
Denial of service using protobuf.
Should not be applicable since client and server are always in sync and we are only
communicating locally over UDS.
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.google\.protobuf/protobuf-.*@.*$</packageUrl>
<cve>CVE-2024-7254</cve>
</suppress>
</suppressions>