-
Notifications
You must be signed in to change notification settings - Fork 0
/
suppressions.xml
217 lines (195 loc) · 6.64 KB
/
suppressions.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress>
<notes><![CDATA[
file name: bcprov-ext-jdk15on-1.66.jar
in project dependency: spring-cloud-starter-kubernetes-client-all
]]></notes>
<cve>CVE-2020-28052</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: spring-cloud-function-core-3.2.2.jar
in project dependency: spring-cloud-starter-bus-amqp
]]></notes>
<cve>CVE-2022-22963</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: spring-hateoas-1.4.1.jar
in project dependency: spring-boot-starter-hateoas
msg: several CVE belongs to this.
]]></notes>
<cve>CVE-2016-1000027</cve>
</suppress>
<suppress>
<cve>CVE-2022-22965</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: spring-plugin-core-2.0.0.RELEASE.jar
in project dependency: spring-hateoas
msg: several CVE belongs to this.
]]></notes>
<cve>CVE-2016-1000027</cve>
</suppress>
<suppress>
<cve>CVE-2022-22965</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: spring-retry-1.3.3.jar
in project dependency: spring-kafka
msg: "The specific exploit requires the application to run on Tomcat as a WAR deployment". Not a problem for us
]]></notes>
<cve>CVE-2022-22965</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: jackson-mapper-asl-1.7.2.jar
in project dependency: oletobias-metadatarepository-api
msg: catalog-search-index-service uses oletobias-metadatarepository-api.
]]></notes>
<cve>CVE-2017-17485</cve>
</suppress>
<suppress>
<cve>CVE-2017-7525</cve>
</suppress>
<suppress>
<cve>CVE-2017-15095</cve>
</suppress>
<suppress>
<cve>CVE-2018-14718</cve>
</suppress>
<suppress>
<cve>CVE-2019-17267</cve>
</suppress>
<suppress>
<cve>CVE-2019-16335</cve>
</suppress>
<suppress>
<cve>CVE-2019-14893</cve>
</suppress>
<suppress>
<cve>CVE-2019-14540</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: jackson-xc-1.7.2.jar:
in project dependency: oletobias-metadatarepository-api
msg: catalog-search-index-service uses oletobias-metadatarepository-api.
]]></notes>
<cve>CVE-2018-7489</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: jackson-xc-1.7.2.jar:
in project dependency: oletobias-metadatarepository-api
msg: meta-harvester-harvester uses oletobias-metadatarepository-api.
]]></notes>
<cve>CVE-2020-10650</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: reactor-kafka-1.3.11.jar
msg: In Apache Kafka versions between 0.11.0.0 and 2.1.0, it is possible to manually craft a Produce request which bypasses transaction/idempotent ACL validation. Only authenticated clients with Write permission on the respective topics are able to exploit this vulnerability. Users should upgrade to 2.1.1 or later where this vulnerability has been fixed. Not any newer version pr 28.04.2022
]]></notes>
<cve>CVE-2018-17196</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: spring-security-web-5.6.3.jar
msg: In Spring Security versions 5.5.6 and 5.5.7 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
]]></notes>
<cve>CVE-2022-22978</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: icu4j-62.1.jar
msg: Kan muligens forsvinne når vi oppgraderer Elasticsearch til nyere versjon (7.7.0 -> ~).
]]></notes>
<cve>CVE-2018-18928</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: spring-data-mongodb-3.3.4.jar
in project dependency: spring-boot-starter-data-mongodb-reactive
msg: This is in spring-boot-parent:2.6.7.
]]></notes>
<cve>CVE-2022-22980</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: commons-text-1.9.jar
in project dependency: iiif-presentation
msg:
]]></notes>
<cve>CVE-2022-42889</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: h2-1.4.200.jar
msg: alisa-order-management-service: H2 kan oppgraderes etter fjerning av flyway.
]]></notes>
<cve>CVE-2022-23221</cve>
<cve>CVE-2021-23463</cve>
<cve>CVE-2021-42392</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: snakeyaml-1.29.jar
msg: snakeyaml https://github.com/spring-projects/spring-boot/issues/33457
Spring Boot already uses SafeConstructor internally so I don't think there are any changes we need to make. Furthermore, typically Spring Boot application only use SnakeYaml to parse application.yaml files, which should be trusted already. Users that use SnakeYaml directly to parse data from untrusted sources should implement their own mitigation strategies.
]]></notes>
<cve>CVE-2022-1471</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: kafka-clients-3.0.1.jar
msg: nb-rest-utils:eventlog, kafka relatert.
]]></notes>
<cve>CVE-2023-25194</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: exceptions-0.0.1-SNAPSHOT.jar
msg: nb-utils-reactive. Google cve for ytteligere informasjon.
]]></notes>
<cve>CVE-2023-2972</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: thymeleaf-spring6-3.1.1.RELEASE.jar
msg: spring-boot-admin. Ikke farlig da spring-boot-admin kun er internt.
]]></notes>
<cve>CVE-2023-38286</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: axis-1.4.jar
msg: brukes av dsm-client-thin, kun internt bruk. catalog-alto-service.
]]></notes>
<cve>CVE-2023-40743</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: commons-compress-1.24.0.jar
msg: Kommer som en del av spring-cloud-starter-kubernetes-client-all
]]></notes>
<cve>CVE-2024-25710</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: jose4j-0.9.3.jar
msg: brukes i kubernetes-java-client
]]></notes>
<cve>CVE-2023-51775</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: spring-web-6.1.4.jar
msg: løst i 6.1.6 men spring har ikke tatt den inn i siste boot versjon som er 3.2.4
]]></notes>
<cve>CVE-2024-22262</cve>
</suppress>
</suppressions>