Newer
Older
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
<!-- GWT Development - Jetty 6 -->
<suppress>
<gav regex="true">^org\.mortbay\.jetty:jetty-util:.*$</gav>
<cpe>cpe:/a:mortbay:jetty</cpe>
</suppress>
<suppress>
<gav regex="true">^org\.mortbay\.jetty:jetty:.*$</gav>
<cpe>cpe:/a:mortbay:jetty</cpe>
</suppress>
<suppress>
<gav regex="true">^org\.mortbay\.jetty:servlet-api-2\.5:.*$</gav>
<cpe>cpe:/a:mortbay:jetty</cpe>
</suppress>
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
<!-- GWT Development - Apache Client -->
<suppress>
<gav regex="true">^org\.apache\.httpcomponents:httpclient:.*$</gav>
<cve>CVE-2011-1498</cve>
<cve>CVE-2014-3577</cve>
<cve>CVE-2015-5262</cve>
</suppress>
<suppress>
<gav regex="true">^org\.apache\.httpcomponents:httpmime:.*$</gav>
<cve>CVE-2011-1498</cve>
<cve>CVE-2014-3577</cve>
<cve>CVE-2015-5262</cve>
</suppress>
<!-- Jetty 8 - False positive, found in a POM file -->
<suppress>
<notes><![CDATA[ ehcache-2.10.0.jar ]]></notes>
<gav regex="true">^org\.eclipse\.jetty:jetty-continuation:.*$</gav>
<cve>CVE-2017-9735</cve>
</suppress>
<suppress>
<notes><![CDATA[ ehcache-2.10.0.jar ]]></notes>
<gav regex="true">^org\.eclipse\.jetty:jetty-http:.*$</gav>
<cve>CVE-2017-9735</cve>
</suppress>
<suppress>
<notes><![CDATA[ ehcache-2.10.0.jar ]]></notes>
<gav regex="true">^org\.eclipse\.jetty:jetty-security:.*$</gav>
<cve>CVE-2017-9735</cve>
</suppress>
<suppress>
<notes><![CDATA[ ehcache-2.10.0.jar ]]></notes>
<gav regex="true">^org\.eclipse\.jetty:jetty-server:.*$</gav>
<cve>CVE-2017-9735</cve>
</suppress>
<suppress>
<notes><![CDATA[ ehcache-2.10.0.jar ]]></notes>
<gav regex="true">^org\.eclipse\.jetty:jetty-servlet:.*$</gav>
<cve>CVE-2017-9735</cve>
</suppress>
<suppress>
<notes><![CDATA[ ehcache-2.10.0.jar ]]></notes>
<gav regex="true">^org\.eclipse\.jetty:jetty-util:.*$</gav>
<cve>CVE-2017-9735</cve>
</suppress>
<!-- Jetty 9.4.9 -->
<suppress>
<gav regex="true">^org\.eclipse\.jetty\.alpn:alpn-api:.*$</gav>
<cve>CVE-2017-9735</cve> <!-- False positive, only affects 9.4.6 and earlier -->
</suppress>
<suppress>
<gav regex="true">^org\.eclipse\.jetty\.orbit:javax\.security\.auth\.message:.*$</gav>
<cve>CVE-2017-9735</cve> <!-- False positive, only affects 9.4.6 and earlier -->
</suppress>
<suppress>
<gav regex="true">^org\.eclipse\.jetty\.orbit:javax\.mail\.glassfish:.*$</gav>
<cve>CVE-2017-9735</cve> <!-- False positive, only affects 9.4.6 and earlier -->
</suppress>
<suppress>
<gav regex="true">^org\.eclipse\.jetty\.toolchain:jetty-schemas:.*$</gav>
<cve>CVE-2007-5613</cve> <!-- False positive, only affects 6.1.6 and earlier -->
<cve>CVE-2007-5614</cve> <!-- False positive, only affects 6.1.6 and earlier -->
<cve>CVE-2007-5615</cve> <!-- False positive, only affects 6.1.6 and earlier -->
<cve>CVE-2017-9735</cve> <!-- False positive, only affects 9.4.6 and earlier -->
</suppress>
<!-- Jackson 2.0.2 -->
<suppress>
<gav regex="true">^com\.fasterxml\.jackson\.core:jackson-annotations:.*$</gav>
<cve>CVE-2017-15095</cve> <!-- Only affects you if you allow to deserialize generic classes, object, serializable, etc.. -->
<cve>CVE-2017-17485</cve> <!-- Only affects you if you allow to deserialize generic classes, object, serializable, etc.. -->
<cve>CVE-2017-7525</cve> <!-- Only affects you if you allow to deserialize generic classes, object, serializable, etc.. -->
<cve>CVE-2018-5968</cve> <!-- No Gadgets used, or DTOs are plain DTOs -->
<cve>CVE-2018-7489</cve> <!-- We don't use c3p0 libraries -->
</suppress>
<suppress>
<gav regex="true">^com\.fasterxml\.jackson\.core:jackson-databind:.*$</gav>
<cve>CVE-2017-15095</cve><cve>CVE-2017-17485</cve><cve>CVE-2017-7525</cve><cve>CVE-2018-5968</cve><cve>CVE-2018-7489</cve>
</suppress>
<!-- Spring 4.1 -->
<suppress>
<gav regex="true">^springframework:spring-aop:.*$</gav>
<cve>CVE-2015-0201</cve> <!-- The Java SockJS client, we don't use the web sockets client -->
<cve>CVE-2015-3192</cve> <!-- DOS Attacks using crafted DTD for XML, where we use DTDs? -->
<cve>CVE-2015-5211</cve> <!-- This only affects downloads where the user could give the name of the file, not the case of the DSS -->
<cve>CVE-2016-5007</cve> <!-- We don't use spring security to protect controllers -->
<cve>CVE-2018-1270</cve> <!-- We don't use web sockets endpoints -->
<cve>CVE-2018-1271</cve> <!-- We don't deploy on Windows -->
<cve>CVE-2018-1272</cve> <!-- We don't forward user input blindly to create packages from our web client -->
</suppress>
<suppress>
<gav regex="true">^springframework:spring-beans:.*$</gav>
<cve>CVE-2015-0201</cve><cve>CVE-2015-3192</cve><cve>CVE-2015-5211</cve><cve>CVE-2016-5007</cve><cve>CVE-2018-1270</cve><cve>CVE-2018-1271</cve><cve>CVE-2018-1272</cve>
</suppress>
<suppress>
<gav regex="true">^org\.springframework:spring-context:.*$</gav>
<cve>CVE-2015-0201</cve><cve>CVE-2015-3192</cve><cve>CVE-2015-5211</cve><cve>CVE-2016-5007</cve><cve>CVE-2018-1270</cve><cve>CVE-2018-1271</cve><cve>CVE-2018-1272</cve>
</suppress>
<suppress>
<gav regex="true">^springframework:spring-core:.*$</gav>
<cve>CVE-2015-0201</cve><cve>CVE-2015-3192</cve><cve>CVE-2015-5211</cve><cve>CVE-2016-5007</cve><cve>CVE-2018-1270</cve><cve>CVE-2018-1271</cve><cve>CVE-2018-1272</cve>
</suppress>
<suppress>
<gav regex="true">^springframework:spring-web:.*$</gav>
<cve>CVE-2015-0201</cve><cve>CVE-2015-3192</cve><cve>CVE-2015-5211</cve><cve>CVE-2016-5007</cve><cve>CVE-2018-1270</cve><cve>CVE-2018-1271</cve><cve>CVE-2018-1272</cve>
</suppress>
<suppress>
<gav regex="true">^springframework:spring-webmvc:.*$</gav>
<cve>CVE-2015-0201</cve><cve>CVE-2015-3192</cve><cve>CVE-2015-5211</cve><cve>CVE-2016-5007</cve><cve>CVE-2018-1270</cve><cve>CVE-2018-1271</cve><cve>CVE-2018-1272</cve>
</suppress>
<suppress>
<gav regex="true">^springframework:spring-expression:.*$</gav>
<cve>CVE-2015-0201</cve><cve>CVE-2015-3192</cve><cve>CVE-2015-5211</cve><cve>CVE-2016-5007</cve><cve>CVE-2018-1270</cve><cve>CVE-2018-1271</cve><cve>CVE-2018-1272</cve>
</suppress>
<suppress>
<gav regex="true">^springframework:spring-tx:.*$</gav>
<cve>CVE-2015-0201</cve><cve>CVE-2015-3192</cve><cve>CVE-2015-5211</cve><cve>CVE-2016-5007</cve><cve>CVE-2018-1270</cve><cve>CVE-2018-1271</cve><cve>CVE-2018-1272</cve>
</suppress>
<suppress>
<gav regex="true">^springframework:spring-context-support:.*$</gav>
<cve>CVE-2015-0201</cve><cve>CVE-2015-3192</cve><cve>CVE-2015-5211</cve><cve>CVE-2016-5007</cve><cve>CVE-2018-1270</cve><cve>CVE-2018-1271</cve><cve>CVE-2018-1272</cve>
</suppress>
<suppress>
<gav regex="true">^springframework:spring-jdbc:.*$</gav>
<cve>CVE-2015-0201</cve><cve>CVE-2015-3192</cve><cve>CVE-2015-5211</cve><cve>CVE-2016-5007</cve><cve>CVE-2018-1270</cve><cve>CVE-2018-1271</cve><cve>CVE-2018-1272</cve>
</suppress>
<suppress>
<gav regex="true">^org\.springframework:spring-orm:.*$</gav>
<cve>CVE-2015-0201</cve><cve>CVE-2015-3192</cve><cve>CVE-2015-5211</cve><cve>CVE-2016-5007</cve><cve>CVE-2018-1270</cve><cve>CVE-2018-1271</cve><cve>CVE-2018-1272</cve>
</suppress>
<!-- Postgresql JDBC -->
<suppress>
<gav regex="true">^org\.postgresql:postgresql:.*$</gav>
<cve>CVE-2017-14798</cve> <!-- Clients can't use JDBC directly and execute their own SQL -->
</suppress>
</suppressions>