other/checkstyle-rules/src/main/resources/tobago/dependency-check-suppression-for-tobago-2.x.xml

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
  <suppress>
    <notes><![CDATA[ file name: jdom2-2.0.6.jar ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.jdom/jdom2@.*$</packageUrl>
    <cve>CVE-2021-33813</cve>
  </suppress>
  <suppress>
    <notes><![CDATA[ subject of CVE is myfaces-core version, but not Tobago version ]]></notes>
    <gav regex="true">^org\.apache\.myfaces\.tobago:.*:.*$</gav>
    <cve>CVE-2011-4367</cve>
  </suppress>
  <suppress>
    <!-- todo: it seems the CVE Database is no up-to-date: 1.3.3 contains the fix for that CVE (2017-06-15) -->
    <notes><![CDATA[ file name: commons-fileupload-1.3.3.jar ]]></notes>
    <gav regex="true">^commons-fileupload:commons-fileupload:1.3.3$</gav>
    <cve>CVE-2016-1000031</cve>
  </suppress>
  <suppress>
    <notes><![CDATA[ file name: javax.el-api-3.0.1-b04.jar ]]></notes>
    <gav regex="true">^javax\.el:javax\.el-api:.*$</gav>
    <cve>CVE-2015-2808</cve>
  </suppress>
  <suppress>
    <notes><![CDATA[ file name: javax.el-api-3.0.1-b04.jar ]]></notes>
    <gav regex="true">^javax\.el:javax\.el-api:.*$</gav>
    <cve>CVE-2013-2566</cve>
  </suppress>
  <suppress>
    <notes><![CDATA[ subject of CVE is Trinidad version, but not Tobago version  ]]></notes>
    <gav regex="true">^org\.apache\.myfaces\.tobago:.*:.*$</gav>
    <cve>CVE-2016-5019</cve>
  </suppress>
  <suppress>
    <notes><![CDATA[ subject of CVE is MyFaces Core, but not Tobago ]]></notes>
    <gav regex="true">^org\.apache\.myfaces\.tobago:.*:.*$</gav>
    <cve>CVE-2011-4343</cve>
  </suppress>
  <suppress>
    <notes><![CDATA[ subject of CVE is a feature not used by Tobago, also log4j its only used in examples ]]></notes>
    <gav regex="true">^org\.zenframework\.z8\.dependencies\.commons:log4j-1\.2\.17:.*$</gav>
    <cve>CVE-2017-5645</cve>
  </suppress>
  <suppress>
    <notes><![CDATA[ seems not to be relevant for Tobago, because it's only used to build themes ]]></notes>
    <gav regex="true">^org\.codehaus\.plexus:plexus-archiver:.*$</gav>
    <cve>CVE-2018-1002207</cve>
  </suppress>
  <suppress>
    <notes><![CDATA[ file name: geronimo-validation_1.1_spec-1.0.jar ]]></notes>
    <gav regex="true">^org\.apache\.geronimo\.specs:geronimo-validation_1\.1_spec:.*$</gav>
    <cve>CVE-2013-4499</cve>
  </suppress>
  <suppress>
    <notes><![CDATA[ addressbook demo ]]></notes>
    <gav regex="true">^org\.apache\.derby:derby:.*$</gav>
    <cve>CVE-2018-1313</cve>
  </suppress>
  <suppress>
    <notes><![CDATA[ file name: batik-xml-1.9.jar batik-i18n-1.9.ja ]]></notes>
    <gav regex="true">^org\.apache\.xmlgraphics:batik-.*:.*$</gav>
    <cve>CVE-2018-8013</cve>
  </suppress>
  <suppress>
    <notes><![CDATA[ file name: log4j-over-slf4j-1.7.30.jar ]]></notes>
    <gav regex="true">^org\.slf4j/log4j\-over\-slf4j.*$</gav>
    <cve>CVE-2020-9488</cve>
  </suppress>
  <suppress>
    <notes><![CDATA[ file name: snappy-0.4.jar ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.iq80\.snappy/snappy@.*$</packageUrl>
    <cve>CVE-2018-6353</cve>
  </suppress>
</suppressions>