| <?xml version="1.0" encoding="UTF-8"?> |
| <!-- |
| |
| Licensed to the Apache Software Foundation (ASF) under one |
| or more contributor license agreements. See the NOTICE file |
| distributed with this work for additional information |
| regarding copyright ownership. The ASF licenses this file |
| to you under the Apache License, Version 2.0 (the |
| "License"); you may not use this file except in compliance |
| with the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, |
| software distributed under the License is distributed on an |
| "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| KIND, either express or implied. See the License for the |
| specific language governing permissions and limitations |
| under the License. |
| |
| --> |
| <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd"> |
| <!-- add supressions for known vulnerabilities detected by OWASP Dependency Check --> |
| |
| <!-- jetcd matched against ETCD server CVEs--> |
| <suppress> |
| <notes><![CDATA[ |
| file name: jetcd-core-0.5.11.jar |
| ]]></notes> |
| <sha1>c85851ca3ea8128d480d3f75c568a37e64e8a77b</sha1> |
| <cve>CVE-2020-15106</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| file name: jetcd-core-0.5.11.jar |
| ]]></notes> |
| <sha1>c85851ca3ea8128d480d3f75c568a37e64e8a77b</sha1> |
| <cve>CVE-2020-15112</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| file name: jetcd-core-0.5.11.jar |
| ]]></notes> |
| <sha1>c85851ca3ea8128d480d3f75c568a37e64e8a77b</sha1> |
| <cve>CVE-2020-15113</cve> |
| </suppress> |
| |
| <suppress> |
| <notes><![CDATA[ |
| file name: jetcd-common-0.5.11.jar |
| ]]></notes> |
| <sha1>6dac6efe035a2be9ba299fbf31be5f903401869f</sha1> |
| <cve>CVE-2020-15106</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| file name: jetcd-common-0.5.11.jar |
| ]]></notes> |
| <sha1>6dac6efe035a2be9ba299fbf31be5f903401869f</sha1> |
| <cve>CVE-2020-15112</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| file name: jetcd-common-0.5.11.jar |
| ]]></notes> |
| <sha1>6dac6efe035a2be9ba299fbf31be5f903401869f</sha1> |
| <cve>CVE-2020-15113</cve> |
| </suppress> |
| <!-- matches BK's http server against apache's http server CVEs --> |
| <suppress> |
| <notes><![CDATA[ |
| file name: org.apache.bookkeeper.http:http-server:4.15.0-SNAPSHOT |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.apache\.bookkeeper\.http/http\-server@.*$</packageUrl> |
| <cpe>cpe:/a:apache:http_server</cpe> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| file name: org.apache.bookkeeper.http:vertx-http-server:4.15.0-SNAPSHOT |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.apache\.bookkeeper\.http/vertx\-http\-server@.*$</packageUrl> |
| <cve>CVE-2009-1890</cve> |
| </suppress> |
| <suppress> |
| <notes>CVE-2021-43045 affects only .NET distro, see https://github.com/apache/avro/pull/1357</notes> |
| <gav regex="true">org\.apache\.avro:.*</gav> |
| <cve>CVE-2021-43045</cve> |
| </suppress> |
| <suppress base="true"> |
| <notes><![CDATA[ |
| False positive |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/io\.netty/netty\-tcnative\-classes@.*$</packageUrl> |
| <cpe>cpe:/a:netty:netty</cpe> |
| </suppress> |
| <!-- matches against docker CVEs --> |
| <suppress> |
| <notes><![CDATA[ |
| file name: arquillian-cube-docker-1.18.2.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.arquillian\.cube/arquillian\-cube\-docker@.*$</packageUrl> |
| <cpe>cpe:/a:docker:docker</cpe> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| file name: arquillian-cube-docker-1.18.2.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.arquillian\.cube/arquillian\-cube\-docker@.*$</packageUrl> |
| <cpe>cpe:/a:redhat:docker</cpe> |
| </suppress> |
| <suppress> |
| <!-- Zookkeeper false positive about Jetty and commons-io--> |
| <!-- https://github.com/apache/zookeeper/pull/1824--> |
| <notes><![CDATA[ |
| file name: zookeeper-3.8.0.jar |
| ]]></notes> |
| <sha1>e395c1d8a71557b7569cc6a83487b2e30e2e58fe</sha1> |
| <cve>CVE-2021-28164</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| file name: zookeeper-3.8.0.jar |
| ]]></notes> |
| <sha1>e395c1d8a71557b7569cc6a83487b2e30e2e58fe</sha1> |
| <cve>CVE-2021-28165</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| file name: zookeeper-3.8.0.jar |
| ]]></notes> |
| <sha1>e395c1d8a71557b7569cc6a83487b2e30e2e58fe</sha1> |
| <cve>CVE-2021-29425</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| file name: zookeeper-3.8.0.jar |
| ]]></notes> |
| <sha1>e395c1d8a71557b7569cc6a83487b2e30e2e58fe</sha1> |
| <cve>CVE-2021-34429</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| file name: zookeeper-prometheus-metrics-3.8.0.jar |
| ]]></notes> |
| <sha1>849e8ece2845cb0185d721233906d487a7f1e4cf</sha1> |
| <cve>CVE-2021-28164</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| file name: zookeeper-prometheus-metrics-3.8.0.jar |
| ]]></notes> |
| <sha1>849e8ece2845cb0185d721233906d487a7f1e4cf</sha1> |
| <cve>CVE-2021-29425</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| file name: zookeeper-prometheus-metrics-3.8.0.jar |
| ]]></notes> |
| <sha1>849e8ece2845cb0185d721233906d487a7f1e4cf</sha1> |
| <cve>CVE-2021-34429</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| file name: zookeeper-jute-3.8.0.jar |
| ]]></notes> |
| <sha1>6560f966bcf1aa78d27bcfa75fb6c4463a72c6c5</sha1> |
| <cve>CVE-2021-28164</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| file name: zookeeper-jute-3.8.0.jar |
| ]]></notes> |
| <sha1>6560f966bcf1aa78d27bcfa75fb6c4463a72c6c5</sha1> |
| <cve>CVE-2021-28165</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| file name: zookeeper-jute-3.8.0.jar |
| ]]></notes> |
| <sha1>6560f966bcf1aa78d27bcfa75fb6c4463a72c6c5</sha1> |
| <cve>CVE-2021-29425</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| file name: zookeeper-jute-3.8.0.jar |
| ]]></notes> |
| <sha1>6560f966bcf1aa78d27bcfa75fb6c4463a72c6c5</sha1> |
| <cve>CVE-2021-34429</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| file name: zookeeper-3.8.0-tests.jar |
| ]]></notes> |
| <sha1>9b78a289a3aa34eb47fac8c432f664fc140387df</sha1> |
| <cve>CVE-2021-28165</cve> |
| </suppress> |
| <!-- https://github.com/jeremylong/DependencyCheck/issues/4487 --> |
| <suppress> |
| <notes><![CDATA[ |
| file name: google-http-client-gson-1.41.0.jar |
| ]]></notes> |
| <sha1>1a754a5dd672218a2ac667d7ff2b28df7a5a240e</sha1> |
| <cve>CVE-2022-25647</cve> |
| </suppress> |
| <!-- only use maven-settings for integration-test --> |
| <suppress> |
| <notes><![CDATA[ |
| file name: maven-settings-3.3.9.jar |
| ]]></notes> |
| <sha1>68d4180c51468ae8f45869f8f9c569092262fcca</sha1> |
| <cve>CVE-2021-26291</cve> |
| </suppress> |
| </suppressions> |
| |