- suppress warning for jython-standalone as optional dependency.
git-svn-id: https://svn.apache.org/repos/asf/turbine/core/trunk@1859623 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/pom.xml b/pom.xml
index d6468cb..1592cfd 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1051,12 +1051,13 @@
<classifier>tests</classifier>
<scope>test</scope>
</dependency>
- <!-- suppress oswasp warning until v1.1.2 is released, which fixes https://github.com/quartz-scheduler/quartz/issues/316 -->
+ <!-- suppress owasp warning until v1.1.2 is released, which fixes https://github.com/quartz-scheduler/quartz/issues/316 -->
<dependency>
<groupId>org.apache.fulcrum</groupId>
<artifactId>fulcrum-quartz</artifactId>
<version>1.1.1</version>
</dependency>
+ <!-- suppress owasp CVE-2018-11771, CVE-2018-1324, as jython-standalone is optional.-->
<dependency>
<groupId>org.python</groupId>
<artifactId>jython-standalone</artifactId>
diff --git a/suppression-owasp-fp.xml b/suppression-owasp-fp.xml
index 5f0c3f3..09a1b58 100644
--- a/suppression-owasp-fp.xml
+++ b/suppression-owasp-fp.xml
@@ -44,4 +44,17 @@
<sha1>5af35056b4d257e4b64b9e8069c0746e8b08629f</sha1>
<cve>CVE-2017-5645</cve>
</suppress>
+ <!-- jython-standalone is only optional, but check this
+ jython-standalone-2.7.1.jar\META-INF/maven/org.apache.commons/commons-compress/pom.xml (pkg:maven/org.apache.commons/commons-compress@1.14, cpe:2.3:a:apache:commons-compress:1.14:*:*:*:*:*:*:*) : CVE-2018-11771, CVE-2018-1324.
+ jython-standalone-2.7.1.jar bundles dependencies of the project inside the JAR itself, unshaded.
+ -->
+ <suppress>
+ <notes><![CDATA[
+ file name: jython-standalone-2.7.1.jar (shaded: org.apache.commons:commons-compress:1.14)
+ ]]></notes>
+ <gav regex="true">^org\.apache\.commons:commons-compress:.*$</gav>
+ <cpe>cpe:/a:apache:commons-compress</cpe>
+ </suppress>
+
+
</suppressions>
\ No newline at end of file