Merge pull request #1511 from macfarla/h2-sup

update dependencies h2, slf4j
Consensys · Jan 10, 2023 · 5aa8369 · 5aa8369
2 parents db87e21 + d24a58a
commit 5aa8369
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 4 deletions.
diff --git a/build.gradle b/build.gradle
@@ -119,7 +119,7 @@ allprojects {
         implementation "org.bouncycastle:bcpkix-jdk15on:1.68"
         implementation "org.bouncycastle:bcprov-jdk15on:1.68"
 
-        implementation "com.h2database:h2:2.1.212"
+        implementation "com.h2database:h2:2.1.214"
         implementation "com.zaxxer:HikariCP:5.0.1"
 
         implementation "org.hsqldb:hsqldb:2.7.1"

diff --git a/cvss-suppressions.xml b/cvss-suppressions.xml
@@ -11,11 +11,10 @@
     </suppress>
     <suppress>
         <notes><![CDATA[
-   file name: h2-2.1.212.jar (pkg:maven/com.h2database/[email protected], cpe:2.3:a:h2database:h2:2.1.212:*:*:*:*:*:*:*) : CVE-2018-14335
-   this CVE is fixed in 2.1.212 but the dependency check is false positive
+   file name: h2-2.1.214.jar (pkg:maven/com.h2database/[email protected], cpe:2.3:a:h2database:h2:2.1.214:*:*:*:*:*:*:*) : CVE-2022-45868
    ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.h2database/h2@.*$</packageUrl>
-        <cve>CVE-2018-14335</cve>
+        <cve>CVE-2022-45868</cve>
     </suppress>
     <suppress>
         <notes><![CDATA[
@@ -39,4 +38,26 @@
         <packageUrl regex="true">^pkg:maven/org.yaml/[email protected]</packageUrl>
         <cve>CVE-2022-38752</cve>
     </suppress>
+    <suppress>
+        <notes><![CDATA[
+   file name: snakeyaml-1.33.jar
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org.yaml/[email protected]</packageUrl>
+        <cve>CVE-2022-1471</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+   file name: commons-io-2.11.0.jar
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/commons-io/[email protected]</packageUrl>
+        <cve>CVE-2021-37533</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+   file name: jcl-over-slf4j-1.7.36.jar
+    (pkg:maven/org.slf4j/[email protected], cpe:2.3:a:apache:commons_net:1.7.36:*:*:*:*:*:*:*) : CVE-2021-37533
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.slf4j/[email protected]</packageUrl>
+        <cve>CVE-2021-37533</cve>
+    </suppress>
 </suppressions>