suppressions.xml

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
    <suppress>
        <notes><![CDATA[
           file name: snakeyaml-2.0.jar
           Severity: HIGH
           These vulnerabilities are not relevant to this project's usage of snakeyaml.
           ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
        <cve>CVE-2023-2251</cve>
        <cve>CVE-2021-4235</cve>
        <cve>CVE-2022-3064</cve>
    </suppress>
    <suppress>
        <notes><![CDATA[
           file name: LatencyUtils-2.0.3.jar

           Not relevant. LatencyUtils is invoked through micrometer instrumentation, which is not
           enabled when this project is run.
           ]]>
        </notes>
        <cve>CVE-2021-4277</cve>
    </suppress>
    <suppress>
        <notes><![CDATA[
           file name: commons-compress-1.22.jar

           The CVE is specific to the .NET version of the library. This is the Java version.
           This is a false positive.
           ]]>
        </notes>
        <cve>CVE-2021-37533</cve>
    </suppress>
    <suppress until="2024-01-30">
        <notes>
            <![CDATA[
            files: spring-boot-1.5.22.RELEASE.jar, spring-core-4.3.30.RELEASE.jar
            sev: CRITICAL
            False positive. Recipes which modify spring-boot code are not themselves spring-boot applications. The vulnerabilities of spring-boot applications are irrelevant.
            ]]>
        </notes>
        <cve>CVE-2022-27772</cve>
        <cve>CVE-2022-22965</cve>
        <cve>CVE-2022-22968</cve>
        <cve>CVE-2022-22970</cve>
    </suppress>
    <suppress>
        <notes><![CDATA[
           file name: jackson-core-2.14.2.jar
           ]]></notes>
        <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-core@.*$</packageUrl>
        <cpe>cpe:/a:fasterxml:jackson-modules-java8</cpe>
        <cpe>cpe:/a:json-java_project:json-java</cpe>
    </suppress>
    <suppress until="2024-01-30Z">
        <notes><![CDATA[
            file name: jackson-databind-2.15.2.jar
            This is not a really valid CVE and not really exploitable as Java code needs to be modified: https://github.com/FasterXML/jackson-databind/issues/3972
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
        <cve>CVE-2023-35116</cve>
    </suppress>
    <suppress until="2024-12-13Z">
        <notes><![CDATA[
            file name: rewrite-core-8.6.0-SNAPSHOT.jar (shaded: org.eclipse.jgit:org.eclipse.jgit:5.13.2.202306221912-r)

            Not relevant. And we pin to this version to support Java8.
            ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.eclipse\.jgit/org\.eclipse\.jgit@.*$</packageUrl>
        <vulnerabilityName>CVE-2023-4759</vulnerabilityName>
    </suppress>
</suppressions>