| <?xml version="1.0" encoding="UTF-8"?> |
| <suppressions xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression"> |
| <!-- Good examples here: https://jeremylong.github.io/DependencyCheck/general/suppression.html --> |
| |
| <!-- To check the comments yourself, simply comment out the block/s you are interested in and use Dependency Check to get the related CVE/s --> |
| |
| <!-- OFBiz uses a more recent Tomcat version --> |
| <suppress> |
| <notes><![CDATA[ |
| file name: annotations-api-3.0.jar |
| ]]></notes> |
| <sha1>87925e57a90c75bd60e2fe4c3fdbcef592c00e48</sha1> |
| <cpe>cpe:/a:apache:tomcat:3.0</cpe> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| file name: annotations-api-3.0.jar |
| ]]></notes> |
| <sha1>87925e57a90c75bd60e2fe4c3fdbcef592c00e48</sha1> |
| <cpe>cpe:/a:apache:tomcat:7.0.54</cpe> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| file name: el-api-3.0.jar |
| ]]></notes> |
| <sha1>794cf8e8d615c6ac136835867aef2fee125bc74b</sha1> |
| <cpe>cpe:/a:apache:tomcat:3.0</cpe> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| file name: jsp-api-2.3.jar |
| ]]></notes> |
| <filePath regex="true">.*\\base\\lib\\j2eespecs\\.*\.jar</filePath> |
| <cve>CVE-2013-2185</cve> |
| <cve>CVE-2009-2696</cve> |
| <cve>CVE-2007-5461</cve> |
| <cve>CVE-2002-0493</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| file name: servlet-api-3.1.jar |
| ]]></notes> |
| <sha1>cc2becc4bf29a7bfd0d7a4055552683d421859c5</sha1> |
| <cpe>cpe:/a:apache:tomcat:3.1</cpe> |
| </suppress> |
| |
| <!-- These CVEs don't concern current Tomcat versions --> |
| <suppress> |
| <notes><![CDATA[ |
| This suppresses specific Tomcat CVEs |
| ]]></notes> |
| <filePath regex="true">.*\\catalina\\lib\\.*\.jar</filePath> |
| <cve>CVE-2013-2185</cve> |
| <cve>CVE-2009-2696</cve> |
| <cve>CVE-2007-5461</cve> |
| <cve>CVE-2002-0493</cve> |
| </suppress> |
| |
| <suppress><!-- This concerns Wordpress only--> |
| <notes><![CDATA[ |
| This suppresses a specific fontbox cve |
| ]]></notes> |
| <filePath regex="true">.*\bfontbox-1.8.11\.jar</filePath> |
| <cve>CVE-2015-7683</cve> |
| </suppress> |
| |
| <suppress><!-- The classes OFBiz uses are not concerned (no UI) --> |
| <notes><![CDATA[ |
| file name: geronimo-j2ee-connector_1.5_spec-2.0.0.jar |
| ]]></notes> |
| <sha1>1da837af8f5bf839ab48352f3dbfd6c4ecedc232</sha1> |
| <cpe>cpe:/a:apache:geronimo:2.0</cpe> |
| </suppress> |
| |
| <suppress><!-- OFBiz only uses com.sun.mail.smtp.SMTPAddressFailedException: not concerned --> |
| <notes><![CDATA[ |
| file name: mail-1.5.1.jar |
| ]]></notes> |
| <sha1>9724dd44f1abbba99c9858aa05fc91d53f59e7a5</sha1> |
| <cpe>cpe:/a:sun:javamail:1.5.1</cpe> |
| </suppress> |
| |
| <suppress><!-- This concerns the UI/XSS and init script in whole Geronimo, OFBiz only uses this class => not concerned. Moreover IBM no longer supports Geronimo so I don't see the point of upgrading as long as it works--> |
| <notes><![CDATA[ |
| file name: geronimo-jaxr_1.0_spec-1.0.jar |
| ]]></notes> |
| <sha1>f6a3b80feb6badbe12c21c8a51ede7fcd6e91e5f</sha1> |
| <cpe>cpe:/a:apache:geronimo:1.0</cpe> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| file name: geronimo-jms_1.1_spec-1.1.1.jar |
| ]]></notes> |
| <sha1>c872b46c601d8dc03633288b81269f9e42762cea</sha1> |
| <cpe>cpe:/a:apache:geronimo:1.1.1</cpe> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| file name: geronimo-saaj_1.3_spec-1.1.jar |
| ]]></notes> |
| <sha1>be6e6fc49ca84631f7c47a04d5438e193db54d7c</sha1> |
| <cpe>cpe:/a:apache:geronimo:1.1</cpe> |
| </suppress> |
| |
| <suppress><!-- This concerns the init script in whole Geronimo, OFBiz only uses this class => not concerned. Moreover IBM no longer supports Geronimo so I don't see the point of upgrading as long as it works--> |
| <notes><![CDATA[ |
| file name: geronimo-transaction-3.1.1.jar |
| ]]></notes> |
| <sha1>1cfdfcff3cd6a805be401946ab14213b0bad9cb4</sha1> |
| <cpe>cpe:/a:apache:geronimo:3.1.1</cpe> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| file name: geronimo-jaxrpc_1.1_spec-1.0.jar |
| ]]></notes> |
| <sha1>c581838de2339f61f1965db0ff912ff2ac1c4b30</sha1> |
| <cpe>cpe:/a:apache:geronimo:1.0</cpe> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| file name: geronimo-jta_1.1_spec-1.1.1.jar |
| ]]></notes> |
| <sha1>aabab3165b8ea936b9360abbf448459c0d04a5a4</sha1> |
| <cpe>cpe:/a:apache:geronimo:1.1.1</cpe> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| file name: geronimo-activation_1.0.2_spec-1.0.jar |
| ]]></notes> |
| <sha1>6dc4b0c7d3358ae4752cf9cc0f97f98358ea7656</sha1> |
| <cpe>cpe:/a:apache:geronimo:1.0</cpe> |
| </suppress> |
| |
| <!-- About Axis 1.6.3 (start with axis2-kernel-1.6.3.jar):1.6.3 is the higher version anyway, so we can't do more here --> |
| |
| <suppress><!-- This has been handled with r1557462 for OFBIZ-5409 . Anyway nowaydays modern browsers protect from that--> |
| <notes><![CDATA[ |
| file name: package.json |
| ]]></notes> |
| <sha1>cfe99f497ed35573d7dfc291068d742399a0eee0</sha1> |
| <cpe>cpe:/a:jquery:jquery:1.10.0</cpe> |
| </suppress> |
| |
| <!-- all cpe:/a:apache:axis:1.4 can be neglected because they are related to Birt which with latest version (4.5.0) still uses Axis 1.4. So are neglected all cpe:/a:eclipse:birt: --> |
| |
| <suppress><!-- Not an issue for OFBiz. See http://seclists.org/oss-sec/2014/q2/508: "This flaw only affects Apache Zookeeper used in conjunction with [redhat] Fuse Fabric". --> |
| <notes><![CDATA[ |
| file name: zookeeper-3.4.6.jar |
| ]]></notes> |
| <sha1>01b2502e29da1ebaade2357cd1de35a855fa3755</sha1> |
| <cpe>cpe:/a:apache:zookeeper:3.4.6</cpe> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| file name: zookeeper-3.4.6.jar |
| ]]></notes> |
| <sha1>01b2502e29da1ebaade2357cd1de35a855fa3755</sha1> |
| <cve>CVE-2014-0085</cve> |
| </suppress> |
| |
| </suppressions> |