Suppress CVEs for Solr and org.codehaus.jackson (#11030)
* Suppress CVEs for Solr and org.codehaus.jackson
* add a comment
diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index d34017c..c1dbd32 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -305,4 +305,24 @@
<packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libthrift@0.13.0$</packageUrl>
<cve>CVE-2020-13949</cve>
</suppress>
+ <suppress>
+ <!-- (ranger, ambari, and aliyun-oss) these vulnerabilities are legit, but their latest releases still use the vulnerable jackson version -->
+ <notes><![CDATA[
+ file name: jackson-xc-1.9.x.jar or jackson-jaxrs-1.9.x.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.codehaus\.jackson/jackson-(xc|jaxrs)@1.9.*$</packageUrl>
+ <cve>CVE-2018-14718</cve>
+ <cve>CVE-2018-7489</cve>
+ </suppress>
+
+ <suppress>
+ <notes><![CDATA[
+ file name: solr-solrj-7.7.1.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.apache\.solr/solr-solrj@7.7.1$</packageUrl>
+ <cve>CVE-2020-13957</cve>
+ <cve>CVE-2019-17558</cve>
+ <cve>CVE-2019-0193</cve>
+ <cve>CVE-2020-13941</cve>
+ </suppress>
</suppressions>