.build/dependency-check-suppressions.xml - cassandra - Git at Google

 <!--
   ~ Licensed to the Apache Software Foundation (ASF) under one
   ~ or more contributor license agreements.  See the NOTICE file
   ~ distributed with this work for additional information
   ~ regarding copyright ownership.  The ASF licenses this file
   ~ to you under the Apache License, Version 2.0 (the
   ~ "License"); you may not use this file except in compliance
   ~ with the License.  You may obtain a copy of the License at
   ~
   ~     http://www.apache.org/licenses/LICENSE-2.0
   ~
   ~ Unless required by applicable law or agreed to in writing, software
   ~ distributed under the License is distributed on an "AS IS" BASIS,
   ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   ~ See the License for the specific language governing permissions and
   ~ limitations under the License.
   -->
 <!--
   copy suppressions / false positives here if there are any, how to do it is explained in
   https://jeremylong.github.io/DependencyCheck/general/suppression.html
 -->
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
     <suppress>
         <!-- not applicable since 4.0 -->
         <packageUrl regex="true">^pkg:maven/com\.datastax\.cassandra/cassandra\-driver\-core@.*$</packageUrl>
         <cve>CVE-2018-8016</cve>
         <cve>CVE-2019-2684</cve>
         <cve>CVE-2020-13946</cve>
         <cve>CVE-2020-17516</cve>
         <cve>CVE-2021-44521</cve>
     </suppress>
     <suppress>
         <!--  https://issues.apache.org/jira/browse/CASSANDRA-17907 -->
         <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
         <cve>CVE-2023-2251</cve>
         <cve>CVE-2022-25857</cve>
         <cve>CVE-2022-38749</cve>
         <cve>CVE-2022-38750</cve>
         <cve>CVE-2022-38751</cve>
         <cve>CVE-2022-38752</cve>
         <cve>CVE-2022-41854</cve>
         <cve>CVE-2022-1471</cve>
         <cve>CVE-2022-3064</cve>
         <cve>CVE-2021-4235</cve>
         <cve>CVE-2017-18640</cve>
     </suppress>
     <suppress>
         <!-- dependency checker identified this as a completely different package (wire) -->
         <packageUrl regex="true">^pkg:maven/net\.openhft/chronicle\-wire@.*$</packageUrl>
         <cpe>cpe:/a:wire:wire</cpe>
     </suppress>
     <suppress>
         <!-- not applicable https://nvd.nist.gov/vuln/detail/CVE-2020-8908 -->
         <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
         <cve>CVE-2020-8908</cve>
     </suppress>
     <!-- https://issues.apache.org/jira/browse/CASSANDRA-18146 -->
     <suppress>
         <packageUrl regex="true">^pkg:maven/org\.apache\.commons.*$</packageUrl>
         <cve>CVE-2021-37533</cve>
     </suppress>
     <suppress>
         <packageUrl regex="true">^pkg:maven/commons-io/.*$</packageUrl>
         <cve>CVE-2021-37533</cve>
     </suppress>
     <suppress>
         <packageUrl regex="true">^pkg:maven/commons-cli/.*$</packageUrl>
         <cve>CVE-2021-37533</cve>
     </suppress>
     <suppress>
         <packageUrl regex="true">^pkg:maven/commons-codec/.*$</packageUrl>
         <cve>CVE-2021-37533</cve>
     </suppress>
     <!-- netty's http stuff is not applicable here -->
     <suppress>
         <packageUrl regex="true">^pkg:maven/io\.netty/netty\-all@.*$</packageUrl>
         <cve>CVE-2021-21290</cve>
         <cve>CVE-2021-21295</cve>
         <cve>CVE-2021-21409</cve>
         <cve>CVE-2021-37136</cve>
         <cve>CVE-2021-37137</cve>
         <cve>CVE-2021-43797</cve>
         <cve>CVE-2022-24823</cve>
         <cve>CVE-2022-41881</cve>
         <cve>CVE-2022-41915</cve>
     </suppress>
     <!-- https://issues.apache.org/jira/browse/CASSANDRA-17966 -->
     <suppress>
         <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
         <cve>CVE-2022-42003</cve>
         <cve>CVE-2022-42004</cve>
     </suppress>
     <!-- https://issues.apache.org/jira/browse/CASSANDRA-18389 -->
     <suppress>
         <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-core.*$</packageUrl>
         <cve>CVE-2022-45688</cve>
     </suppress>

 </suppressions>
	<!--
	~ Licensed to the Apache Software Foundation (ASF) under one
	~ or more contributor license agreements. See the NOTICE file
	~ distributed with this work for additional information
	~ regarding copyright ownership. The ASF licenses this file
	~ to you under the Apache License, Version 2.0 (the
	~ "License"); you may not use this file except in compliance
	~ with the License. You may obtain a copy of the License at
	~
	~ http://www.apache.org/licenses/LICENSE-2.0
	~
	~ Unless required by applicable law or agreed to in writing, software
	~ distributed under the License is distributed on an "AS IS" BASIS,
	~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	~ See the License for the specific language governing permissions and
	~ limitations under the License.
	-->
	<!--
	copy suppressions / false positives here if there are any, how to do it is explained in
	https://jeremylong.github.io/DependencyCheck/general/suppression.html
	-->
	<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
	<suppress>
	<!-- not applicable since 4.0 -->
	<packageUrl regex="true">^pkg:maven/com\.datastax\.cassandra/cassandra\-driver\-core@.*$</packageUrl>
	<cve>CVE-2018-8016</cve>
	<cve>CVE-2019-2684</cve>
	<cve>CVE-2020-13946</cve>
	<cve>CVE-2020-17516</cve>
	<cve>CVE-2021-44521</cve>
	</suppress>
	<suppress>
	<!-- https://issues.apache.org/jira/browse/CASSANDRA-17907 -->
	<packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
	<cve>CVE-2023-2251</cve>
	<cve>CVE-2022-25857</cve>
	<cve>CVE-2022-38749</cve>
	<cve>CVE-2022-38750</cve>
	<cve>CVE-2022-38751</cve>
	<cve>CVE-2022-38752</cve>
	<cve>CVE-2022-41854</cve>
	<cve>CVE-2022-1471</cve>
	<cve>CVE-2022-3064</cve>
	<cve>CVE-2021-4235</cve>
	<cve>CVE-2017-18640</cve>
	</suppress>
	<suppress>
	<!-- dependency checker identified this as a completely different package (wire) -->
	<packageUrl regex="true">^pkg:maven/net\.openhft/chronicle\-wire@.*$</packageUrl>
	<cpe>cpe:/a:wire:wire</cpe>
	</suppress>
	<suppress>
	<!-- not applicable https://nvd.nist.gov/vuln/detail/CVE-2020-8908 -->
	<packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
	<cve>CVE-2020-8908</cve>
	</suppress>
	<!-- https://issues.apache.org/jira/browse/CASSANDRA-18146 -->
	<suppress>
	<packageUrl regex="true">^pkg:maven/org\.apache\.commons.*$</packageUrl>
	<cve>CVE-2021-37533</cve>
	</suppress>
	<suppress>
	<packageUrl regex="true">^pkg:maven/commons-io/.*$</packageUrl>
	<cve>CVE-2021-37533</cve>
	</suppress>
	<suppress>
	<packageUrl regex="true">^pkg:maven/commons-cli/.*$</packageUrl>
	<cve>CVE-2021-37533</cve>
	</suppress>
	<suppress>
	<packageUrl regex="true">^pkg:maven/commons-codec/.*$</packageUrl>
	<cve>CVE-2021-37533</cve>
	</suppress>
	<!-- netty's http stuff is not applicable here -->
	<suppress>
	<packageUrl regex="true">^pkg:maven/io\.netty/netty\-all@.*$</packageUrl>
	<cve>CVE-2021-21290</cve>
	<cve>CVE-2021-21295</cve>
	<cve>CVE-2021-21409</cve>
	<cve>CVE-2021-37136</cve>
	<cve>CVE-2021-37137</cve>
	<cve>CVE-2021-43797</cve>
	<cve>CVE-2022-24823</cve>
	<cve>CVE-2022-41881</cve>
	<cve>CVE-2022-41915</cve>
	</suppress>
	<!-- https://issues.apache.org/jira/browse/CASSANDRA-17966 -->
	<suppress>
	<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
	<cve>CVE-2022-42003</cve>
	<cve>CVE-2022-42004</cve>
	</suppress>
	<!-- https://issues.apache.org/jira/browse/CASSANDRA-18389 -->
	<suppress>
	<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-core.*$</packageUrl>
	<cve>CVE-2022-45688</cve>
	</suppress>

	</suppressions>