| <?xml version="1.0" encoding="UTF-8"?> |
| <!-- |
| |
| Licensed to the Apache Software Foundation (ASF) under one |
| or more contributor license agreements. See the NOTICE file |
| distributed with this work for additional information |
| regarding copyright ownership. The ASF licenses this file |
| to you under the Apache License, Version 2.0 (the |
| "License"); you may not use this file except in compliance |
| with the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, |
| software distributed under the License is distributed on an |
| "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| KIND, either express or implied. See the License for the |
| specific language governing permissions and limitations |
| under the License. |
| |
| --> |
| <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd"> |
| <!-- add supressions for false-positives detected by OWASP Dependency Check --> |
| <suppress> |
| <notes> |
| apache:http_server is not used. |
| </notes> |
| <cpe>cpe:/a:apache:http_server</cpe> |
| </suppress> |
| <suppress> |
| <notes> |
| apache:apache_http_server is not used. |
| </notes> |
| <cpe>cpe:/a:apache:apache_http_server</cpe> |
| </suppress> |
| <suppress> |
| <notes>pulsar-package-bookkeeper-storage gets mixed with bookkeeper.</notes> |
| <gav regex="true">org\.apache\.pulsar:.*</gav> |
| <cpe>cpe:/a:apache:bookkeeper</cpe> |
| </suppress> |
| <suppress> |
| <notes>kubernetes client doesn't contain CVE-2020-8554</notes> |
| <gav regex="true">io\.kubernetes:.*</gav> |
| <cve>CVE-2020-8554</cve> |
| </suppress> |
| <suppress> |
| <notes>avro doesn't contain CVE-2019-17195</notes> |
| <gav regex="true">org\.apache\.avro:.*</gav> |
| <cve>CVE-2019-17195</cve> |
| </suppress> |
| <suppress> |
| <notes>CVE-2021-43045 affects only .NET distro, see https://github.com/apache/avro/pull/1357</notes> |
| <gav regex="true">org\.apache\.avro:.*</gav> |
| <cve>CVE-2021-43045</cve> |
| </suppress> |
| <suppress base="true"> |
| <notes><![CDATA[ |
| FP per #3889 |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/io\.netty/netty\-tcnative\-classes@.*$</packageUrl> |
| <cpe>cpe:/a:netty:netty</cpe> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| file name: netty-tcnative-boringssl-static-2.0.56.Final-osx-aarch_64.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/io\.netty/netty\-tcnative\-boringssl\-static@.*$</packageUrl> |
| <cpe>cpe:/a:chromium_project:chromium</cpe> |
| </suppress> |
| |
| <!-- CVE-2021-23214 is about PostGre server --> |
| <suppress> |
| <notes><![CDATA[ |
| file name: debezium-connector-postgres-1.7.2.Final.jar |
| ]]></notes> |
| <sha1>69c1edfa7d89531af511fcd07e8516fa450f746a</sha1> |
| <cve>CVE-2021-23214</cve> |
| </suppress> |
| |
| <!-- MariaDB client is being confused with MariaDB server--> |
| <suppress> |
| <notes><![CDATA[ |
| file name: mariadb-java-client-2.7.5.jar |
| ]]></notes> |
| <sha1>9dd29797ecabe7d2e7fa892ec6713a5552cfcc59</sha1> |
| <cve>CVE-2022-27376</cve> |
| <cve>CVE-2022-27377</cve> |
| <cve>CVE-2022-27378</cve> |
| <cve>CVE-2022-27379</cve> |
| <cve>CVE-2022-27380</cve> |
| <cve>CVE-2022-27381</cve> |
| <cve>CVE-2022-27382</cve> |
| <cve>CVE-2022-27383</cve> |
| <cve>CVE-2022-27384</cve> |
| <cve>CVE-2022-27385</cve> |
| <cve>CVE-2022-27386</cve> |
| <cve>CVE-2022-27387</cve> |
| <cve>CVE-2022-27444</cve> |
| <cve>CVE-2022-27446</cve> |
| <cve>CVE-2022-27449</cve> |
| <cve>CVE-2022-27451</cve> |
| <cve>CVE-2022-27452</cve> |
| <cve>CVE-2022-27455</cve> |
| <cve>CVE-2022-27457</cve> |
| </suppress> |
| |
| <!-- google-http-client-gson getting confused with gson--> |
| <suppress> |
| <notes><![CDATA[ |
| file name: google-http-client-gson-1.41.0.jar |
| ]]></notes> |
| <sha1>1a754a5dd672218a2ac667d7ff2b28df7a5a240e</sha1> |
| <cve>CVE-2022-25647</cve> |
| </suppress> |
| |
| <suppress> |
| <notes>commons-net is not used at all and therefore commons-net vulnerability CVE-2021-37533 is a false positive.</notes> |
| <cve>CVE-2021-37533</cve> |
| </suppress> |
| |
| <suppress> |
| <notes>fredsmith utils library is not used at all. CVE-2021-4277 is a false positive.</notes> |
| <cve>CVE-2021-4277</cve> |
| </suppress> |
| |
| <suppress> |
| <notes>yaml_project is not used at all. Any CVEs reported for yaml_project are false positives.</notes> |
| <cpe>cpe:/a:yaml_project:yaml</cpe> |
| </suppress> |
| |
| <suppress> |
| <notes>flat_project is not used at all.</notes> |
| <cpe>cpe:/a:flat_project:flat</cpe> |
| </suppress> |
| </suppressions> |