| <?xml version="1.0" encoding="UTF-8"?> |
| <!-- |
| Licensed to the Apache Software Foundation (ASF) under one |
| or more contributor license agreements. See the NOTICE file |
| distributed with this work for additional information |
| regarding copyright ownership. The ASF licenses this file |
| to you under the Apache License, Version 2.0 (the |
| "License"); you may not use this file except in compliance |
| with the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, |
| software distributed under the License is distributed on an |
| "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| KIND, either express or implied. See the License for the |
| specific language governing permissions and limitations |
| under the License. |
| --> |
| <!-- general cft. https://jeremylong.github.io/DependencyCheck/general/suppression.html --> |
| <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd"> |
| <!-- suppress c3p0 warning until quartz v1.1.2 is released (in fulcrum quartz), which fixes https://github.com/quartz-scheduler/quartz/issues/316 --> |
| <suppress> |
| <notes><![CDATA[ |
| file name: c3p0-0.9.5.2.jar |
| ]]></notes> |
| <gav regex="true">^com\.mchange:c3p0:.*$</gav> |
| <cve>CVE-2018-20433</cve> |
| </suppress> |
| <!-- suppress guava < 24.1.1 as jython is only optional (in turbine) --> |
| <suppress> |
| <notes><![CDATA[ |
| file name: jython-standalone-2.7.1.jar (shaded: com.google.guava:guava:22.0-android) |
| ]]></notes> |
| <gav regex="true">^com\.google\.guava:guava:.*$</gav> |
| <cve>CVE-2018-10237</cve> |
| </suppress> |
| |
| <!-- https://issues.apache.org/jira/browse/LOG4J2-1863 i.e. log4j 2.8.2 fixes, but affected versions match only log4j2 2.x, not log4j 1.x --> |
| <suppress> |
| <notes><![CDATA[ |
| file name: log4j-1.2.17.jar |
| ]]></notes> |
| <sha1>5af35056b4d257e4b64b9e8069c0746e8b08629f</sha1> |
| <cve>CVE-2017-5645</cve> |
| </suppress> |
| <!-- jython-standalone is only optional, but check this |
| jython-standalone-2.7.1.jar\META-INF/maven/org.apache.commons/commons-compress/pom.xml (pkg:maven/org.apache.commons/commons-compress@1.14, cpe:2.3:a:apache:commons-compress:1.14:*:*:*:*:*:*:*) : CVE-2018-11771, CVE-2018-1324. |
| jython-standalone-2.7.1.jar bundles dependencies of the project inside the JAR itself, unshaded. |
| --> |
| <suppress> |
| <notes><![CDATA[ |
| file name: jython-standalone-2.7.1.jar (shaded: org.apache.commons:commons-compress:1.14) |
| ]]></notes> |
| <gav regex="true">^org\.apache\.commons:commons-compress:.*$</gav> |
| <cpe>cpe:/a:apache:commons-compress</cpe> |
| </suppress> |
| |
| |
| </suppressions> |