-
Notifications
You must be signed in to change notification settings - Fork 3
/
owasp-suppress.xml
107 lines (101 loc) · 4.32 KB
/
owasp-suppress.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<!-- Deserialization of untrusted data is unsafe, but we only do that from trusted sources -->
<suppress>
<notes><![CDATA[
file name: spring-web-5.3.31.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org.springframework/spring-web@.*$</packageUrl>
<cve>CVE-2024-22262</cve>
<cve>CVE-2024-22243</cve>
<cve>CVE-2016-1000027</cve>
</suppress>
<!-- present even in the latest version - 1.33 -->
<suppress>
<notes><![CDATA[
file name: snakeyaml-1.33.jar
]]></notes>
<packageUrl regex="true">pkg:maven/org.yaml/snakeyaml@.*$</packageUrl>
<cve>CVE-2022-1471</cve>
</suppress>
<!-- we are not deploying to Cloud foundry now so this can be suppressed-->
<suppress>
<notes><![CDATA[
file name: spring-boot-starter-data-solr-2.4.13.jar
]]></notes>
<packageUrl regex="true">pkg:maven/org.springframework.boot/spring-boot-starter-data-solr@.*$</packageUrl>
<cve>CVE-2023-20873</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: zookeeper-3.6.2.jar
]]></notes>
<packageUrl regex="true">pkg:maven/org.apache.zookeeper/zookeeper@.*$</packageUrl>
<cve>CVE-2023-44981</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: zookeeper-jute-3.6.2.jar
]]></notes>
<packageUrl regex="true">pkg:maven/org.apache.zookeeper/zookeeper-jute@.*$</packageUrl>
<cve>CVE-2023-44981</cve>
</suppress>
<!-- it is transitive dependency coming from spring boot starter 2.7.18.
Using "**" as a pattern in Spring Security configuration for WebFlux creates
a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass.
-->
<suppress>
<notes><![CDATA[
file name: spring-security-core-5.7.8.jar
]]></notes>
<packageUrl regex="true">pkg:maven/org.springframework.security/spring-security-core@.*$</packageUrl>
<cve>CVE-2024-22257</cve>
<cve>CVE-2023-34034</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: spring-security-crypto-5.7.8.jar
]]></notes>
<packageUrl regex="true">pkg:maven/org.springframework.security/spring-security-crypto@.*$</packageUrl>
<cve>CVE-2023-34034</cve>
</suppress>
<!-- CVE-2024-38828 - Spring MVC controller methods with an @RequestBody byte[] method parameter are vulnerable to a DoS attack.
CVE-2024-38809 - Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to DoS attack.
CVE-2024-38816 - Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks
suppressing it as not sure if we want to update spring boot right now. Even if we update it spring version 6 is also affected with these vulnerabilities-->
<suppress>
<notes><![CDATA[
file name: spring-web-5.3.31.jar
]]></notes>
<packageUrl regex="true">pkg:maven/org.springframework/spring-web@.*$</packageUrl>
<cve>CVE-2024-38828</cve>
<cve>CVE-2024-38809</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: spring-webflux-5.3.31.jar
]]></notes>
<packageUrl regex="true">pkg:maven/org.springframework/spring-webflux@.*$</packageUrl>
<cve>CVE-2024-38816</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: spring-webmvc-5.3.31.jar
]]></notes>
<packageUrl regex="true">pkg:maven/org.springframework/spring-webmvc@.*$</packageUrl>
<cve>CVE-2024-38816</cve>
</suppress>
<!-- the latest version 1.8.0 also has the same vulnerabilities
swagger-ui-4.18.2.jar: swagger-ui-bundle.js: CVE-2024-45801(10.0), CVE-2024-47875(10.0)
swagger-ui-4.18.2.jar: swagger-ui-es-bundle.js: CVE-2024-45801(10.0), CVE-2024-47875(10.0) -->
<suppress>
<notes><![CDATA[
file name: swagger-ui-5.11.8.jar
]]></notes>
<packageUrl regex="true">pkg:javascript/DOMPurify@.*$</packageUrl>
<cve>CVE-2024-45801</cve>
<cve>CVE-2024-47875</cve>
<cve>CVE-2024-45801</cve>
<cve>CVE-2024-47875</cve>
</suppress>
</suppressions>