tools/security/dependency-check/suppress.xml - ofbiz - Git at Google

 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression">
     <!-- Good examples here: https://jeremylong.github.io/DependencyCheck/general/suppression.html -->

     <!-- To check the comments yourself, simply comment out the block/s you are interested in and use Dependency Check to get the related CVE/s -->

      <!-- OFBiz uses a more recent Tomcat version -->
     <suppress>
         <notes><![CDATA[
         file name: annotations-api-3.0.jar
         ]]></notes>
         <sha1>87925e57a90c75bd60e2fe4c3fdbcef592c00e48</sha1>
         <cpe>cpe:/a:apache:tomcat:3.0</cpe>
     </suppress>
     <suppress>
         <notes><![CDATA[
         file name: annotations-api-3.0.jar
         ]]></notes>
         <sha1>87925e57a90c75bd60e2fe4c3fdbcef592c00e48</sha1>
         <cpe>cpe:/a:apache:tomcat:7.0.54</cpe>
     </suppress>
     <suppress>
        <notes><![CDATA[
        file name: el-api-3.0.jar
        ]]></notes>
        <sha1>794cf8e8d615c6ac136835867aef2fee125bc74b</sha1>
        <cpe>cpe:/a:apache:tomcat:3.0</cpe>
     </suppress>
      <suppress>
         <notes><![CDATA[
         file name: jsp-api-2.3.jar
         ]]></notes>
         <filePath regex="true">.*\\base\\lib\\j2eespecs\\.*\.jar</filePath>
         <cve>CVE-2013-2185</cve>
         <cve>CVE-2009-2696</cve>
         <cve>CVE-2007-5461</cve>
         <cve>CVE-2002-0493</cve>
     </suppress>
     <suppress>
        <notes><![CDATA[
        file name: servlet-api-3.1.jar
        ]]></notes>
        <sha1>cc2becc4bf29a7bfd0d7a4055552683d421859c5</sha1>
        <cpe>cpe:/a:apache:tomcat:3.1</cpe>
     </suppress>

      <!-- These CVEs don't concern current Tomcat versions -->
      <suppress>
         <notes><![CDATA[
         This suppresses specific Tomcat CVEs
         ]]></notes>
         <filePath regex="true">.*\\catalina\\lib\\.*\.jar</filePath>
         <cve>CVE-2013-2185</cve>
         <cve>CVE-2009-2696</cve>
         <cve>CVE-2007-5461</cve>
         <cve>CVE-2002-0493</cve>
     </suppress>

       <suppress><!-- This concerns Wordpress only-->
         <notes><![CDATA[
         This suppresses a specific fontbox cve
         ]]></notes>
         <filePath regex="true">.*\bfontbox-1.8.11\.jar</filePath>
         <cve>CVE-2015-7683</cve>
     </suppress>

     <suppress><!-- The classes OFBiz uses are not concerned (no UI) -->
        <notes><![CDATA[
        file name: geronimo-j2ee-connector_1.5_spec-2.0.0.jar
        ]]></notes>
        <sha1>1da837af8f5bf839ab48352f3dbfd6c4ecedc232</sha1>
        <cpe>cpe:/a:apache:geronimo:2.0</cpe>
     </suppress>

     <suppress><!-- OFBiz only uses com.sun.mail.smtp.SMTPAddressFailedException: not concerned -->
        <notes><![CDATA[
        file name: mail-1.5.1.jar
        ]]></notes>
        <sha1>9724dd44f1abbba99c9858aa05fc91d53f59e7a5</sha1>
        <cpe>cpe:/a:sun:javamail:1.5.1</cpe>
     </suppress>

     <suppress><!-- This concerns the UI/XSS and init script in whole Geronimo, OFBiz only uses this class => not concerned. Moreover IBM no longer supports Geronimo so I don't see the point of upgrading as long as it works-->
        <notes><![CDATA[
        file name: geronimo-jaxr_1.0_spec-1.0.jar
        ]]></notes>
        <sha1>f6a3b80feb6badbe12c21c8a51ede7fcd6e91e5f</sha1>
        <cpe>cpe:/a:apache:geronimo:1.0</cpe>
     </suppress>
     <suppress>
        <notes><![CDATA[
        file name: geronimo-jms_1.1_spec-1.1.1.jar
        ]]></notes>
        <sha1>c872b46c601d8dc03633288b81269f9e42762cea</sha1>
        <cpe>cpe:/a:apache:geronimo:1.1.1</cpe>
     </suppress>
     <suppress>
        <notes><![CDATA[
        file name: geronimo-saaj_1.3_spec-1.1.jar
        ]]></notes>
        <sha1>be6e6fc49ca84631f7c47a04d5438e193db54d7c</sha1>
        <cpe>cpe:/a:apache:geronimo:1.1</cpe>
     </suppress>

     <suppress><!-- This concerns the init script in whole Geronimo, OFBiz only uses this class => not concerned. Moreover IBM no longer supports Geronimo so I don't see the point of upgrading as long as it works-->
        <notes><![CDATA[
        file name: geronimo-transaction-3.1.1.jar
        ]]></notes>
        <sha1>1cfdfcff3cd6a805be401946ab14213b0bad9cb4</sha1>
        <cpe>cpe:/a:apache:geronimo:3.1.1</cpe>
     </suppress>
     <suppress>
    <notes><![CDATA[
    file name: geronimo-jaxrpc_1.1_spec-1.0.jar
    ]]></notes>
    <sha1>c581838de2339f61f1965db0ff912ff2ac1c4b30</sha1>
    <cpe>cpe:/a:apache:geronimo:1.0</cpe>
 </suppress>
     <suppress>
        <notes><![CDATA[
        file name: geronimo-jta_1.1_spec-1.1.1.jar
        ]]></notes>
        <sha1>aabab3165b8ea936b9360abbf448459c0d04a5a4</sha1>
        <cpe>cpe:/a:apache:geronimo:1.1.1</cpe>
     </suppress>
     <suppress>
        <notes><![CDATA[
        file name: geronimo-activation_1.0.2_spec-1.0.jar
        ]]></notes>
        <sha1>6dc4b0c7d3358ae4752cf9cc0f97f98358ea7656</sha1>
        <cpe>cpe:/a:apache:geronimo:1.0</cpe>
     </suppress>

     <!-- About Axis 1.6.3 (start with axis2-kernel-1.6.3.jar):1.6.3 is the higher version anyway, so we can't do more here -->

     <suppress><!-- This has been handled with r1557462 for OFBIZ-5409 . Anyway nowaydays modern browsers protect from that-->
        <notes><![CDATA[
        file name: package.json
        ]]></notes>
        <sha1>cfe99f497ed35573d7dfc291068d742399a0eee0</sha1>
        <cpe>cpe:/a:jquery:jquery:1.10.0</cpe>
     </suppress>

     <!-- all cpe:/a:apache:axis:1.4 can be neglected because they are related to Birt which with latest version (4.5.0) still uses Axis 1.4. So are neglected  all cpe:/a:eclipse:birt: -->

     <suppress><!-- Not an issue for OFBiz. See http://seclists.org/oss-sec/2014/q2/508:  "This flaw only affects Apache Zookeeper used in conjunction with [redhat] Fuse Fabric". -->
        <notes><![CDATA[
        file name: zookeeper-3.4.6.jar
        ]]></notes>
        <sha1>01b2502e29da1ebaade2357cd1de35a855fa3755</sha1>
        <cpe>cpe:/a:apache:zookeeper:3.4.6</cpe>
     </suppress>
     <suppress>
        <notes><![CDATA[
        file name: zookeeper-3.4.6.jar
        ]]></notes>
        <sha1>01b2502e29da1ebaade2357cd1de35a855fa3755</sha1>
        <cve>CVE-2014-0085</cve>
     </suppress>

 </suppressions>
	<?xml version="1.0" encoding="UTF-8"?>
	<suppressions xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression">
	<!-- Good examples here: https://jeremylong.github.io/DependencyCheck/general/suppression.html -->

	<!-- To check the comments yourself, simply comment out the block/s you are interested in and use Dependency Check to get the related CVE/s -->

	<!-- OFBiz uses a more recent Tomcat version -->
	<suppress>
	<notes><![CDATA[
	file name: annotations-api-3.0.jar
	]]></notes>
	<sha1>87925e57a90c75bd60e2fe4c3fdbcef592c00e48</sha1>
	<cpe>cpe:/a:apache:tomcat:3.0</cpe>
	</suppress>
	<suppress>
	<notes><![CDATA[
	file name: annotations-api-3.0.jar
	]]></notes>
	<sha1>87925e57a90c75bd60e2fe4c3fdbcef592c00e48</sha1>
	<cpe>cpe:/a:apache:tomcat:7.0.54</cpe>
	</suppress>
	<suppress>
	<notes><![CDATA[
	file name: el-api-3.0.jar
	]]></notes>
	<sha1>794cf8e8d615c6ac136835867aef2fee125bc74b</sha1>
	<cpe>cpe:/a:apache:tomcat:3.0</cpe>
	</suppress>
	<suppress>
	<notes><![CDATA[
	file name: jsp-api-2.3.jar
	]]></notes>
	<filePath regex="true">.\\base\\lib\\j2eespecs\\.\.jar</filePath>
	<cve>CVE-2013-2185</cve>
	<cve>CVE-2009-2696</cve>
	<cve>CVE-2007-5461</cve>
	<cve>CVE-2002-0493</cve>
	</suppress>
	<suppress>
	<notes><![CDATA[
	file name: servlet-api-3.1.jar
	]]></notes>
	<sha1>cc2becc4bf29a7bfd0d7a4055552683d421859c5</sha1>
	<cpe>cpe:/a:apache:tomcat:3.1</cpe>
	</suppress>

	<!-- These CVEs don't concern current Tomcat versions -->
	<suppress>
	<notes><![CDATA[
	This suppresses specific Tomcat CVEs
	]]></notes>
	<filePath regex="true">.\\catalina\\lib\\.\.jar</filePath>
	<cve>CVE-2013-2185</cve>
	<cve>CVE-2009-2696</cve>
	<cve>CVE-2007-5461</cve>
	<cve>CVE-2002-0493</cve>
	</suppress>

	<suppress><!-- This concerns Wordpress only-->
	<notes><![CDATA[
	This suppresses a specific fontbox cve
	]]></notes>
	<filePath regex="true">.*\bfontbox-1.8.11\.jar</filePath>
	<cve>CVE-2015-7683</cve>
	</suppress>

	<suppress><!-- The classes OFBiz uses are not concerned (no UI) -->
	<notes><![CDATA[
	file name: geronimo-j2ee-connector_1.5_spec-2.0.0.jar
	]]></notes>
	<sha1>1da837af8f5bf839ab48352f3dbfd6c4ecedc232</sha1>
	<cpe>cpe:/a:apache:geronimo:2.0</cpe>
	</suppress>

	<suppress><!-- OFBiz only uses com.sun.mail.smtp.SMTPAddressFailedException: not concerned -->
	<notes><![CDATA[
	file name: mail-1.5.1.jar
	]]></notes>
	<sha1>9724dd44f1abbba99c9858aa05fc91d53f59e7a5</sha1>
	<cpe>cpe:/a:sun:javamail:1.5.1</cpe>
	</suppress>

	<suppress><!-- This concerns the UI/XSS and init script in whole Geronimo, OFBiz only uses this class => not concerned. Moreover IBM no longer supports Geronimo so I don't see the point of upgrading as long as it works-->
	<notes><![CDATA[
	file name: geronimo-jaxr_1.0_spec-1.0.jar
	]]></notes>
	<sha1>f6a3b80feb6badbe12c21c8a51ede7fcd6e91e5f</sha1>
	<cpe>cpe:/a:apache:geronimo:1.0</cpe>
	</suppress>
	<suppress>
	<notes><![CDATA[
	file name: geronimo-jms_1.1_spec-1.1.1.jar
	]]></notes>
	<sha1>c872b46c601d8dc03633288b81269f9e42762cea</sha1>
	<cpe>cpe:/a:apache:geronimo:1.1.1</cpe>
	</suppress>
	<suppress>
	<notes><![CDATA[
	file name: geronimo-saaj_1.3_spec-1.1.jar
	]]></notes>
	<sha1>be6e6fc49ca84631f7c47a04d5438e193db54d7c</sha1>
	<cpe>cpe:/a:apache:geronimo:1.1</cpe>
	</suppress>

	<suppress><!-- This concerns the init script in whole Geronimo, OFBiz only uses this class => not concerned. Moreover IBM no longer supports Geronimo so I don't see the point of upgrading as long as it works-->
	<notes><![CDATA[
	file name: geronimo-transaction-3.1.1.jar
	]]></notes>
	<sha1>1cfdfcff3cd6a805be401946ab14213b0bad9cb4</sha1>
	<cpe>cpe:/a:apache:geronimo:3.1.1</cpe>
	</suppress>
	<suppress>
	<notes><![CDATA[
	file name: geronimo-jaxrpc_1.1_spec-1.0.jar
	]]></notes>
	<sha1>c581838de2339f61f1965db0ff912ff2ac1c4b30</sha1>
	<cpe>cpe:/a:apache:geronimo:1.0</cpe>
	</suppress>
	<suppress>
	<notes><![CDATA[
	file name: geronimo-jta_1.1_spec-1.1.1.jar
	]]></notes>
	<sha1>aabab3165b8ea936b9360abbf448459c0d04a5a4</sha1>
	<cpe>cpe:/a:apache:geronimo:1.1.1</cpe>
	</suppress>
	<suppress>
	<notes><![CDATA[
	file name: geronimo-activation_1.0.2_spec-1.0.jar
	]]></notes>
	<sha1>6dc4b0c7d3358ae4752cf9cc0f97f98358ea7656</sha1>
	<cpe>cpe:/a:apache:geronimo:1.0</cpe>
	</suppress>

	<!-- About Axis 1.6.3 (start with axis2-kernel-1.6.3.jar):1.6.3 is the higher version anyway, so we can't do more here -->

	<suppress><!-- This has been handled with r1557462 for OFBIZ-5409 . Anyway nowaydays modern browsers protect from that-->
	<notes><![CDATA[
	file name: package.json
	]]></notes>
	<sha1>cfe99f497ed35573d7dfc291068d742399a0eee0</sha1>
	<cpe>cpe:/a:jquery:jquery:1.10.0</cpe>
	</suppress>

	<!-- all cpe:/a:apache:axis:1.4 can be neglected because they are related to Birt which with latest version (4.5.0) still uses Axis 1.4. So are neglected all cpe:/a:eclipse:birt: -->

	<suppress><!-- Not an issue for OFBiz. See http://seclists.org/oss-sec/2014/q2/508: "This flaw only affects Apache Zookeeper used in conjunction with [redhat] Fuse Fabric". -->
	<notes><![CDATA[
	file name: zookeeper-3.4.6.jar
	]]></notes>
	<sha1>01b2502e29da1ebaade2357cd1de35a855fa3755</sha1>
	<cpe>cpe:/a:apache:zookeeper:3.4.6</cpe>
	</suppress>
	<suppress>
	<notes><![CDATA[
	file name: zookeeper-3.4.6.jar
	]]></notes>
	<sha1>01b2502e29da1ebaade2357cd1de35a855fa3755</sha1>
	<cve>CVE-2014-0085</cve>
	</suppress>

	</suppressions>