| <?xml version="1.0" encoding="UTF-8"?> |
| <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd" |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" |
| xsi:schemaLocation="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd"> |
| <suppress> |
| <notes><![CDATA[ file name: jdom2-2.0.6.jar ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.jdom/jdom2@.*$</packageUrl> |
| <cve>CVE-2021-33813</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ subject of CVE is myfaces-core version, but not Tobago version ]]></notes> |
| <gav regex="true">^org\.apache\.myfaces\.tobago:.*:.*$</gav> |
| <cve>CVE-2011-4367</cve> |
| </suppress> |
| <suppress> |
| <!-- todo: it seems the CVE Database is no up-to-date: 1.3.3 contains the fix for that CVE (2017-06-15) --> |
| <notes><![CDATA[ file name: commons-fileupload-1.3.3.jar ]]></notes> |
| <gav regex="true">^commons-fileupload:commons-fileupload:1.3.3$</gav> |
| <cve>CVE-2016-1000031</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ file name: javax.el-api-3.0.1-b04.jar ]]></notes> |
| <gav regex="true">^javax\.el:javax\.el-api:.*$</gav> |
| <cve>CVE-2015-2808</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ file name: javax.el-api-3.0.1-b04.jar ]]></notes> |
| <gav regex="true">^javax\.el:javax\.el-api:.*$</gav> |
| <cve>CVE-2013-2566</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ subject of CVE is Trinidad version, but not Tobago version ]]></notes> |
| <gav regex="true">^org\.apache\.myfaces\.tobago:.*:.*$</gav> |
| <cve>CVE-2016-5019</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ subject of CVE is MyFaces Core, but not Tobago ]]></notes> |
| <gav regex="true">^org\.apache\.myfaces\.tobago:.*:.*$</gav> |
| <cve>CVE-2011-4343</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ subject of CVE is a feature not used by Tobago, also log4j its only used in examples ]]></notes> |
| <gav regex="true">^org\.zenframework\.z8\.dependencies\.commons:log4j-1\.2\.17:.*$</gav> |
| <cve>CVE-2017-5645</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ seems not to be relevant for Tobago, because it's only used to build themes ]]></notes> |
| <gav regex="true">^org\.codehaus\.plexus:plexus-archiver:.*$</gav> |
| <cve>CVE-2018-1002207</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ file name: geronimo-validation_1.1_spec-1.0.jar ]]></notes> |
| <gav regex="true">^org\.apache\.geronimo\.specs:geronimo-validation_1\.1_spec:.*$</gav> |
| <cve>CVE-2013-4499</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ addressbook demo ]]></notes> |
| <gav regex="true">^org\.apache\.derby:derby:.*$</gav> |
| <cve>CVE-2018-1313</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ file name: batik-xml-1.9.jar batik-i18n-1.9.ja ]]></notes> |
| <gav regex="true">^org\.apache\.xmlgraphics:batik-.*:.*$</gav> |
| <cve>CVE-2018-8013</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ file name: log4j-over-slf4j-1.7.30.jar ]]></notes> |
| <gav regex="true">^org\.slf4j/log4j\-over\-slf4j.*$</gav> |
| <cve>CVE-2020-9488</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ file name: snappy-0.4.jar ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.iq80\.snappy/snappy@.*$</packageUrl> |
| <cve>CVE-2018-6353</cve> |
| </suppress> |
| </suppressions> |