.build/dependency-check-suppressions.xml - cassandra - Git at Google

 <!--
   ~ Licensed to the Apache Software Foundation (ASF) under one
   ~ or more contributor license agreements.  See the NOTICE file
   ~ distributed with this work for additional information
   ~ regarding copyright ownership.  The ASF licenses this file
   ~ to you under the Apache License, Version 2.0 (the
   ~ "License"); you may not use this file except in compliance
   ~ with the License.  You may obtain a copy of the License at
   ~
   ~     http://www.apache.org/licenses/LICENSE-2.0
   ~
   ~ Unless required by applicable law or agreed to in writing, software
   ~ distributed under the License is distributed on an "AS IS" BASIS,
   ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   ~ See the License for the specific language governing permissions and
   ~ limitations under the License.
   -->
 <!--
   copy suppressions / false positives here if there are any, how to do it is explained in
   https://jeremylong.github.io/DependencyCheck/general/suppression.html
 -->
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
     <suppress>
         <!--  https://issues.apache.org/jira/browse/CASSANDRA-16150 -->
         <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
         <cve>CVE-2017-18640</cve>
     </suppress>

     <!-- https://issues.apache.org/jira/browse/CASSANDRA-15417 -->
     <suppress>
         <packageUrl regex="true">^pkg:maven/io\.netty/netty\-all@.*$</packageUrl>
         <cve>CVE-2019-16869</cve>
         <cve>CVE-2019-20444</cve>
         <cve>CVE-2019-20445</cve>
         <cve>CVE-2020-7238</cve>
         <cve>CVE-2021-21290</cve>
         <cve>CVE-2021-21295</cve>
         <cve>CVE-2021-21409</cve>
         <cve>CVE-2021-37136</cve>
         <cve>CVE-2021-37137</cve>
         <cve>CVE-2021-43797</cve>
         <cve>CVE-2022-24823</cve>
     </suppress>

     <!-- https://issues.apache.org/jira/browse/CASSANDRA-14183 -->
     <suppress>
         <packageUrl regex="true">^pkg:maven/ch\.qos\.logback/logback\-core@.*$</packageUrl>
         <cve>CVE-2017-5929</cve>
     </suppress>
     <suppress>
         <packageUrl regex="true">^pkg:maven/ch\.qos\.logback/logback\-classic@.*$</packageUrl>
         <cve>CVE-2017-5929</cve>
     </suppress>

     <!-- this was fixed in 3.0.22 -->
     <suppress>
         <packageUrl regex="true">^pkg:maven/com\.datastax\.cassandra/cassandra\-driver\-core@.*$</packageUrl>
         <cve>CVE-2020-13946</cve>
         <cve>CVE-2020-17516</cve>
         <cve>CVE-2021-44521</cve>
     </suppress>

     <!-- https://issues.apache.org/jira/browse/CASSANDRA-14760 -->
     <suppress>
         <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
         <cve>CVE-2018-10237</cve>
         <cve>CVE-2020-8908</cve>
     </suppress>

     <!-- https://issues.apache.org/jira/browse/CASSANDRA-16606 -->
     <suppress>
         <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libthrift@.*$</packageUrl>
         <cve>CVE-2015-3254</cve>
         <cve>CVE-2016-5397</cve>
         <cve>CVE-2018-1320</cve>
         <cve>CVE-2018-11798</cve>
         <cve>CVE-2019-0205</cve>
     </suppress>
 </suppressions>
	<!--
	~ Licensed to the Apache Software Foundation (ASF) under one
	~ or more contributor license agreements. See the NOTICE file
	~ distributed with this work for additional information
	~ regarding copyright ownership. The ASF licenses this file
	~ to you under the Apache License, Version 2.0 (the
	~ "License"); you may not use this file except in compliance
	~ with the License. You may obtain a copy of the License at
	~
	~ http://www.apache.org/licenses/LICENSE-2.0
	~
	~ Unless required by applicable law or agreed to in writing, software
	~ distributed under the License is distributed on an "AS IS" BASIS,
	~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	~ See the License for the specific language governing permissions and
	~ limitations under the License.
	-->
	<!--
	copy suppressions / false positives here if there are any, how to do it is explained in
	https://jeremylong.github.io/DependencyCheck/general/suppression.html
	-->
	<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
	<suppress>
	<!-- https://issues.apache.org/jira/browse/CASSANDRA-16150 -->
	<packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
	<cve>CVE-2017-18640</cve>
	</suppress>

	<!-- https://issues.apache.org/jira/browse/CASSANDRA-15417 -->
	<suppress>
	<packageUrl regex="true">^pkg:maven/io\.netty/netty\-all@.*$</packageUrl>
	<cve>CVE-2019-16869</cve>
	<cve>CVE-2019-20444</cve>
	<cve>CVE-2019-20445</cve>
	<cve>CVE-2020-7238</cve>
	<cve>CVE-2021-21290</cve>
	<cve>CVE-2021-21295</cve>
	<cve>CVE-2021-21409</cve>
	<cve>CVE-2021-37136</cve>
	<cve>CVE-2021-37137</cve>
	<cve>CVE-2021-43797</cve>
	<cve>CVE-2022-24823</cve>
	</suppress>

	<!-- https://issues.apache.org/jira/browse/CASSANDRA-14183 -->
	<suppress>
	<packageUrl regex="true">^pkg:maven/ch\.qos\.logback/logback\-core@.*$</packageUrl>
	<cve>CVE-2017-5929</cve>
	</suppress>
	<suppress>
	<packageUrl regex="true">^pkg:maven/ch\.qos\.logback/logback\-classic@.*$</packageUrl>
	<cve>CVE-2017-5929</cve>
	</suppress>

	<!-- this was fixed in 3.0.22 -->
	<suppress>
	<packageUrl regex="true">^pkg:maven/com\.datastax\.cassandra/cassandra\-driver\-core@.*$</packageUrl>
	<cve>CVE-2020-13946</cve>
	<cve>CVE-2020-17516</cve>
	<cve>CVE-2021-44521</cve>
	</suppress>

	<!-- https://issues.apache.org/jira/browse/CASSANDRA-14760 -->
	<suppress>
	<packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
	<cve>CVE-2018-10237</cve>
	<cve>CVE-2020-8908</cve>
	</suppress>

	<!-- https://issues.apache.org/jira/browse/CASSANDRA-16606 -->
	<suppress>
	<packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libthrift@.*$</packageUrl>
	<cve>CVE-2015-3254</cve>
	<cve>CVE-2016-5397</cve>
	<cve>CVE-2018-1320</cve>
	<cve>CVE-2018-11798</cve>
	<cve>CVE-2019-0205</cve>
	</suppress>
	</suppressions>