| <?xml version="1.0" encoding="UTF-8"?> |
| <!-- |
| Licensed to the Apache Software Foundation (ASF) under one |
| or more contributor license agreements. See the NOTICE file |
| distributed with this work for additional information |
| regarding copyright ownership. The ASF licenses this file |
| to you under the Apache License, Version 2.0 (the |
| "License"); you may not use this file except in compliance |
| with the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, |
| software distributed under the License is distributed on an |
| "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| KIND, either express or implied. See the License for the |
| specific language governing permissions and limitations |
| under the License. |
| --> |
| <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd"> |
| <suppress> |
| <notes><![CDATA[file name: struts-core-1.3.8.jar]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.apache\.struts/struts\-core@.*$</packageUrl> |
| <cpe>cpe:/a:apache:struts</cpe> |
| <cve>CVE-2016-1182</cve> |
| <cve>CVE-2016-1181</cve> |
| <cve>CVE-2014-0114</cve> |
| <cve>CVE-2015-0899</cve> |
| <cve>CVE-2011-5057</cve> |
| <cve>CVE-2012-0391</cve> |
| <cve>CVE-2012-0392</cve> |
| <cve>CVE-2012-0393</cve> |
| <cve>CVE-2012-0394</cve> |
| <cve>CVE-2012-0838</cve> |
| <cve>CVE-2013-1965</cve> |
| <cve>CVE-2013-1966</cve> |
| <cve>CVE-2013-2115</cve> |
| <cve>CVE-2013-2134</cve> |
| <cve>CVE-2013-2135</cve> |
| <cve>CVE-2014-0094</cve> |
| <cve>CVE-2014-0113</cve> |
| <cve>CVE-2015-5169</cve> |
| <cve>CVE-2016-0785</cve> |
| <cve>CVE-2016-4003</cve> |
| <cve>CVE-2015-2992</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[file name: struts-tiles-1.3.8.jar]]></notes> |
| <gav regex="true">^org\.apache\.struts:struts\-tiles\:1\.3\.8.*$</gav> |
| <cpe>cpe:/a:apache:struts</cpe> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[file name: struts-taglib-1.3.8.jar]]></notes> |
| <gav regex="true">^org\.apache\.struts:struts\-taglib\:1\.3\.8.*$</gav> |
| <cpe>cpe:/a:apache:struts</cpe> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[file name: bsh-2.0b4.jar]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.beanshell/bsh@.*$</packageUrl> |
| <vulnerabilityName>CVE-2016-2510</vulnerabilityName> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ file name: plexus-utils-1.2.jar]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus\-utils@.*$</packageUrl> |
| <cpe>cpe:/a:plexus-utils_project:plexus-utils</cpe> |
| <cve>CVE-2017-1000487</cve> |
| <vulnerabilityName>Directory traversal in org.codehaus.plexus.util.Expand</vulnerabilityName> |
| <vulnerabilityName>Possible XML Injection</vulnerabilityName> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[file name: dwr-1.1.1.jar]]></notes> |
| <packageUrl regex="true">^pkg:maven/uk\.ltd\.getahead/dwr@.*$</packageUrl> |
| <cpe>cpe:/a:getahead:direct_web_remoting</cpe> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[file name: commons-collections-3.2.1.jar]]></notes> |
| <packageUrl regex="true">^pkg:maven/commons\-collections/commons\-collections@.*$</packageUrl> |
| <cpe>cpe:/a:apache:commons_collections</cpe> |
| <cve>CVE-2015-6420</cve> |
| <cve>CVE-2017-15708</cve> |
| <vulnerabilityName>Remote code execution</vulnerabilityName> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[file name: commons-beanutils-1.7.0.jar]]></notes> |
| <packageUrl regex="true">^pkg:maven/commons\-beanutils/commons\-beanutils@.*$</packageUrl> |
| <cpe>cpe:/a:apache:commons_beanutils</cpe> |
| <cve>CVE-2014-0114</cve> |
| <cve>CVE-2019-10086</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[file name: dom4j-1.1.jar]]></notes> |
| <packageUrl regex="true">^pkg:maven/dom4j/dom4j@.*$</packageUrl> |
| <cpe>cpe:/a:dom4j_project:dom4j</cpe> |
| <cve>CVE-2020-10683</cve> |
| <cve>CVE-2018-1000632</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[file name: tiles-ognl-3.0.8.jar]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.apache\.tiles/tiles\-ognl@.*$</packageUrl> |
| <cve>CVE-2016-3093</cve> |
| </suppress> |
| <!-- quarkus, see: https://github.com/quarkusio/quarkus/issues/2611#issuecomment-553409186 --> |
| <suppress> |
| <notes> |
| <![CDATA[ |
| Suppress the false positive CPE for quarkus-jdbc-postgresql to postgresql |
| ]]> |
| </notes> |
| <gav regex="true">^io\.quarkus:quarkus-jdbc-postgresql:.*$</gav> |
| <cpe>cpe:/a:postgresql:postgresql</cpe> |
| </suppress> |
| <suppress> |
| <notes> |
| <![CDATA[ |
| Suppress the false positive CPE for quarkus-resteasy to resteasy |
| ]]> |
| </notes> |
| <gav regex="true">^io\.quarkus:quarkus-resteasy.*:.*$</gav> |
| <cpe>cpe:/a:redhat:resteasy</cpe> |
| </suppress> |
| <suppress> |
| <notes> |
| <![CDATA[ |
| Suppress the false positive CPE for quarkus-undertow to undertow |
| ]]> |
| </notes> |
| <gav regex="true">^io\.quarkus:quarkus-undertow.*:.*$</gav> |
| <cpe>cpe:/a:redhat:undertow</cpe> |
| <cve>CVE-2022-4147</cve> |
| </suppress> |
| <suppress> |
| <notes> |
| <![CDATA[ |
| Suppress the false positive CPE for quarkus-swagger-ui to swagger_project:swagger-ui |
| ]]> |
| </notes> |
| <gav regex="true">^io\.quarkus:quarkus-swagger-ui.*:.*$</gav> |
| <cpe>cpe:/a:swagger_project:swagger-ui</cpe> |
| </suppress> |
| <suppress> |
| <notes> |
| <![CDATA[ |
| Suppress the false positive CPE for quarkus-netty to netty |
| ]]> |
| </notes> |
| <gav regex="true">^io\.quarkus:quarkus-netty.*:.*$</gav> |
| <cpe>cpe:/a:netty:netty</cpe> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[microprofile-config-api-2.0.1.jar]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.eclipse\.microprofile\.config/microprofile-config-api@.*</packageUrl> |
| <cve>CVE-2022-37422</cve> |
| <cve>CVE-2022-45129</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[quarkus-vertx-http-2.13.1.Final.jar]]></notes> |
| <packageUrl regex="true">^pkg:maven/io\.quarkus/quarkus-vertx-http@.*</packageUrl> |
| <cve>CVE-2022-4147</cve> |
| </suppress> |
| <!-- quarkus --> |
| <suppress> |
| <notes><![CDATA[file name: spring-core-4.3.30.RELEASE.jar, spring-aop-4.3.30.RELEASE.jar]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.springframework/spring\-.*@.*$</packageUrl> |
| <cve>CVE-2022-22965</cve> |
| <cve>CVE-2022-22950</cve> |
| <cve>CVE-2022-22968</cve> |
| <cve>CVE-2022-22970</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[file name: spring-web-5.3.23.jar]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.springframework/spring\-web@.*$</packageUrl> |
| <cve>CVE-2016-1000027</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[file name: velocity-1.7.jar]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.apache\.velocity/velocity@.*</packageUrl> |
| <cve>CVE-2020-13936</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[file name: velocity-tools-2.0.jar]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.apache\.velocity/velocity-tools@.*</packageUrl> |
| <cve>CVE-2020-13959</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[file name: xstream-1.4.19.jar]]></notes> |
| <packageUrl regex="true">^pkg:maven/com\.thoughtworks\.xstream/xstream@1\.4\.19</packageUrl> |
| <cve>CVE-2022-40151</cve> |
| <cve>CVE-2022-40152</cve> |
| <cve>CVE-2022-40156</cve> |
| </suppress> |
| </suppressions> |