owasp_suppressing_false_positives.xml

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
   <!-- GWT Development - Jetty 6 -->
   <suppress>
      <gav regex="true">^org\.mortbay\.jetty:jetty-util:.*$</gav>
      <cpe>cpe:/a:mortbay:jetty</cpe>
   </suppress>
   <suppress>
	   <gav regex="true">^org\.mortbay\.jetty:jetty:.*$</gav>
	   <cpe>cpe:/a:mortbay:jetty</cpe>
	</suppress>
	<suppress>
	   <gav regex="true">^org\.mortbay\.jetty:servlet-api-2\.5:.*$</gav>
	   <cpe>cpe:/a:mortbay:jetty</cpe>
	</suppress>
	<!-- GWT Development - Apache Client -->
	<suppress>
	   <gav regex="true">^org\.apache\.httpcomponents:httpclient:.*$</gav>
	   <cve>CVE-2011-1498</cve>
	   <cve>CVE-2014-3577</cve>
	   <cve>CVE-2015-5262</cve>
	</suppress>
	<suppress>
	   <gav regex="true">^org\.apache\.httpcomponents:httpmime:.*$</gav>
	   <cve>CVE-2011-1498</cve>
	   <cve>CVE-2014-3577</cve>
	   <cve>CVE-2015-5262</cve>
	</suppress>
	<!-- Jetty 8 - False positive, found in a ehcache POM file -->
	<suppress>
	   	<notes><![CDATA[ ehcache-2.10.0.jar ]]></notes>
	   	<gav regex="true">^org\.eclipse\.jetty:jetty-continuation:.*$</gav>
	   	<cve>CVE-2017-9735</cve>
		<cve>CVE-2017-7656</cve>
		<cve>CVE-2017-7657</cve>
		<cve>CVE-2017-7658</cve>
	</suppress>
	<suppress>
	   	<notes><![CDATA[ ehcache-2.10.0.jar ]]></notes>
	   	<gav regex="true">^org\.eclipse\.jetty:jetty-http:.*$</gav>
	   	<cve>CVE-2017-9735</cve>
		<cve>CVE-2017-7656</cve>
		<cve>CVE-2017-7657</cve>
		<cve>CVE-2017-7658</cve>
	</suppress>
	<suppress>
	   	<notes><![CDATA[ ehcache-2.10.0.jar ]]></notes>
	   	<gav regex="true">^org\.eclipse\.jetty:jetty-security:.*$</gav>
	   	<cve>CVE-2017-9735</cve>
		<cve>CVE-2017-7656</cve>
		<cve>CVE-2017-7657</cve>
		<cve>CVE-2017-7658</cve>
	</suppress>
	<suppress>
	   	<notes><![CDATA[ ehcache-2.10.0.jar ]]></notes>
	   	<gav regex="true">^org\.eclipse\.jetty:jetty-server:.*$</gav>
	   	<cve>CVE-2017-9735</cve>
		<cve>CVE-2017-7656</cve>
		<cve>CVE-2017-7657</cve>
		<cve>CVE-2017-7658</cve>
	</suppress>
	<suppress>
	   	<notes><![CDATA[ ehcache-2.10.0.jar ]]></notes>
	   	<gav regex="true">^org\.eclipse\.jetty:jetty-servlet:.*$</gav>
	   	<cve>CVE-2017-9735</cve>
		<cve>CVE-2017-7656</cve>
		<cve>CVE-2017-7657</cve>
		<cve>CVE-2017-7658</cve>
	</suppress>
	<suppress>
	   	<notes><![CDATA[ ehcache-2.10.0.jar ]]></notes>
	   	<gav regex="true">^org\.eclipse\.jetty:jetty-util:.*$</gav>
	   	<cve>CVE-2017-9735</cve>
		<cve>CVE-2017-7656</cve>
		<cve>CVE-2017-7657</cve>
		<cve>CVE-2017-7658</cve>
	</suppress>
	<!-- Jetty 9.4.9 -->
	<suppress>
   		<gav regex="true">^org\.eclipse\.jetty\.alpn:alpn-api:.*$</gav>
   		<cve>CVE-2017-9735</cve> <!-- False positive, only affects 9.4.6 and earlier -->
		<cve>CVE-2017-7656</cve> <!-- False positive, only affects 9.4.10 and earlier -->
		<cve>CVE-2017-7657</cve> <!-- False positive, only affects 9.4.10 and earlier -->
		<cve>CVE-2017-7658</cve> <!-- False positive, only affects 9.4.10 and earlier -->
	</suppress>
	<suppress>
   		<gav regex="true">^org\.eclipse\.jetty\.orbit:javax\.security\.auth\.message:.*$</gav>
   		<cve>CVE-2017-9735</cve> <!-- False positive, only affects 9.4.6 and earlier -->
		<cve>CVE-2017-7656</cve> <!-- False positive, only affects 9.4.10 and earlier -->
		<cve>CVE-2017-7657</cve> <!-- False positive, only affects 9.4.10 and earlier -->
		<cve>CVE-2017-7658</cve> <!-- False positive, only affects 9.4.10 and earlier -->
	</suppress>
	<suppress>
   		<gav regex="true">^org\.eclipse\.jetty\.orbit:javax\.mail\.glassfish:.*$</gav>
   		<cve>CVE-2017-9735</cve> <!-- False positive, only affects 9.4.6 and earlier -->
		<cve>CVE-2017-7656</cve> <!-- False positive, only affects 9.4.10 and earlier -->
		<cve>CVE-2017-7657</cve> <!-- False positive, only affects 9.4.10 and earlier -->
		<cve>CVE-2017-7658</cve> <!-- False positive, only affects 9.4.10 and earlier -->
	</suppress>
	<suppress>
   		<gav regex="true">^org\.eclipse\.jetty\.toolchain:jetty-schemas:.*$</gav>
   		<cve>CVE-2007-5613</cve>  <!-- False positive, only affects 6.1.6 and earlier -->
   		<cve>CVE-2007-5614</cve>  <!-- False positive, only affects 6.1.6 and earlier -->
   		<cve>CVE-2007-5615</cve>  <!-- False positive, only affects 6.1.6 and earlier -->
   		<cve>CVE-2017-9735</cve> <!-- False positive, only affects 9.4.6 and earlier -->
		<cve>CVE-2017-7656</cve> <!-- False positive, only affects 9.4.10 and earlier -->
		<cve>CVE-2017-7657</cve> <!-- False positive, only affects 9.4.10 and earlier -->
		<cve>CVE-2017-7658</cve> <!-- False positive, only affects 9.4.10 and earlier -->
	</suppress>
	<!-- Jackson 2.0.2 -->
	<suppress>
   		<gav regex="true">^com\.fasterxml\.jackson\.core:jackson-annotations:.*$</gav>
   		<cve>CVE-2017-15095</cve> <!-- Only affects you if you allow to deserialize generic classes, object, serializable, etc.. -->
   		<cve>CVE-2017-17485</cve> <!-- Only affects you if you allow to deserialize generic classes, object, serializable, etc.. -->
   		<cve>CVE-2017-7525</cve> <!-- Only affects you if you allow to deserialize generic classes, object, serializable, etc.. -->
   		<cve>CVE-2018-5968</cve> <!-- No Gadgets used, or DTOs are plain DTOs -->
   		<cve>CVE-2018-7489</cve> <!-- We don't use c3p0 libraries -->
	</suppress>
	<suppress>
   		<gav regex="true">^com\.fasterxml\.jackson\.core:jackson-databind:.*$</gav>
   		<cve>CVE-2017-15095</cve><cve>CVE-2017-17485</cve><cve>CVE-2017-7525</cve><cve>CVE-2018-5968</cve><cve>CVE-2018-7489</cve>
	</suppress>
	<!-- Spring 4.1 -->
	<suppress>
	   <gav regex="true">^springframework:spring-aop:.*$</gav>
	   <cve>CVE-2015-0201</cve> <!-- The Java SockJS client, we don't use the web sockets client -->
	   <cve>CVE-2015-3192</cve> <!-- DOS Attacks using crafted DTD for XML, where we use DTDs? -->
	   <cve>CVE-2015-5211</cve> <!-- This only affects downloads where the user could give the name of the file, not the case of the DSS -->
	   <cve>CVE-2016-5007</cve> <!-- We don't use spring security to protect controllers -->
	   <cve>CVE-2018-1270</cve> <!-- We don't use web sockets endpoints -->
	   <cve>CVE-2018-1271</cve> <!-- We don't deploy on Windows -->
	   <cve>CVE-2018-1272</cve> <!-- We don't forward user input blindly to create packages from our web client -->
	   <cve>CVE-2018-1258</cve> <!-- We don't use the web-security jar -->
	</suppress>
	<suppress>
	   <gav regex="true">^springframework:spring-beans:.*$</gav>
	   <cve>CVE-2018-1258</cve><cve>CVE-2015-0201</cve><cve>CVE-2015-3192</cve><cve>CVE-2015-5211</cve><cve>CVE-2016-5007</cve><cve>CVE-2018-1270</cve><cve>CVE-2018-1271</cve><cve>CVE-2018-1272</cve>
	</suppress>
	<suppress>
	   <gav regex="true">^org\.springframework:spring-context:.*$</gav>
	   <cve>CVE-2018-1258</cve><cve>CVE-2015-0201</cve><cve>CVE-2015-3192</cve><cve>CVE-2015-5211</cve><cve>CVE-2016-5007</cve><cve>CVE-2018-1270</cve><cve>CVE-2018-1271</cve><cve>CVE-2018-1272</cve>
	</suppress>
	<suppress>
	   <gav regex="true">^springframework:spring-core:.*$</gav>
	   <cve>CVE-2018-1258</cve><cve>CVE-2015-0201</cve><cve>CVE-2015-3192</cve><cve>CVE-2015-5211</cve><cve>CVE-2016-5007</cve><cve>CVE-2018-1270</cve><cve>CVE-2018-1271</cve><cve>CVE-2018-1272</cve>
	</suppress>
	<suppress>
	   <gav regex="true">^springframework:spring-web:.*$</gav>
	   <cve>CVE-2018-1258</cve><cve>CVE-2015-0201</cve><cve>CVE-2015-3192</cve><cve>CVE-2015-5211</cve><cve>CVE-2016-5007</cve><cve>CVE-2018-1270</cve><cve>CVE-2018-1271</cve><cve>CVE-2018-1272</cve>
	</suppress>
	<suppress>
	   <gav regex="true">^springframework:spring-webmvc:.*$</gav>
	   <cve>CVE-2018-1258</cve><cve>CVE-2015-0201</cve><cve>CVE-2015-3192</cve><cve>CVE-2015-5211</cve><cve>CVE-2016-5007</cve><cve>CVE-2018-1270</cve><cve>CVE-2018-1271</cve><cve>CVE-2018-1272</cve>
	</suppress>
	<suppress>
	   <gav regex="true">^springframework:spring-expression:.*$</gav>
	   <cve>CVE-2018-1258</cve><cve>CVE-2015-0201</cve><cve>CVE-2015-3192</cve><cve>CVE-2015-5211</cve><cve>CVE-2016-5007</cve><cve>CVE-2018-1270</cve><cve>CVE-2018-1271</cve><cve>CVE-2018-1272</cve>
	</suppress>
	<suppress>
	   <gav regex="true">^springframework:spring-tx:.*$</gav>
	   <cve>CVE-2018-1258</cve><cve>CVE-2015-0201</cve><cve>CVE-2015-3192</cve><cve>CVE-2015-5211</cve><cve>CVE-2016-5007</cve><cve>CVE-2018-1270</cve><cve>CVE-2018-1271</cve><cve>CVE-2018-1272</cve>
	</suppress>
	<suppress>
	   <gav regex="true">^springframework:spring-context-support:.*$</gav>
	   <cve>CVE-2018-1258</cve><cve>CVE-2015-0201</cve><cve>CVE-2015-3192</cve><cve>CVE-2015-5211</cve><cve>CVE-2016-5007</cve><cve>CVE-2018-1270</cve><cve>CVE-2018-1271</cve><cve>CVE-2018-1272</cve>
	</suppress>
	<suppress>
	   <gav regex="true">^springframework:spring-jdbc:.*$</gav>
	   <cve>CVE-2018-1258</cve><cve>CVE-2015-0201</cve><cve>CVE-2015-3192</cve><cve>CVE-2015-5211</cve><cve>CVE-2016-5007</cve><cve>CVE-2018-1270</cve><cve>CVE-2018-1271</cve><cve>CVE-2018-1272</cve>
	</suppress>
	<suppress>
	   <gav regex="true">^org\.springframework:spring-orm:.*$</gav>
	   <cve>CVE-2018-1258</cve><cve>CVE-2015-0201</cve><cve>CVE-2015-3192</cve><cve>CVE-2015-5211</cve><cve>CVE-2016-5007</cve><cve>CVE-2018-1270</cve><cve>CVE-2018-1271</cve><cve>CVE-2018-1272</cve>
	</suppress>
	<!-- Postgresql JDBC -->
	<suppress>
   		<gav regex="true">^org\.postgresql:postgresql:.*$</gav>
   		<cve>CVE-2017-14798</cve> <!-- Clients can't use JDBC directly and execute their own SQL -->
   		<cve>CVE-2018-1115</cve> <!-- We don't use any admin pack -->
		<cve>CVE-2016-7048</cve> <!-- Don't apply to the driver -->
	</suppress>
	<!-- Jython -->
	<suppress>
		<gav regex="true">^org\.jruby\.extras:jaffl:.*$</gav>
		<cpe>CVE-2010-1330</cpe>
		<cpe>CVE-2011-4838</cpe>
		<cpe>CVE-2012-5370</cpe>
	</suppress>
</suppressions>