<?xml version="1.0" encoding="UTF-8"?> <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd"> <!-- GWT Development - Jetty 6 --> <suppress> <gav regex="true">^org\.mortbay\.jetty:jetty-util:.*$</gav> <cpe>cpe:/a:mortbay:jetty</cpe> </suppress> <suppress> <gav regex="true">^org\.mortbay\.jetty:jetty:.*$</gav> <cpe>cpe:/a:mortbay:jetty</cpe> </suppress> <suppress> <gav regex="true">^org\.mortbay\.jetty:servlet-api-2\.5:.*$</gav> <cpe>cpe:/a:mortbay:jetty</cpe> </suppress> <!-- GWT Development - Apache Client --> <suppress> <gav regex="true">^org\.apache\.httpcomponents:httpclient:.*$</gav> <cve>CVE-2011-1498</cve> <cve>CVE-2014-3577</cve> <cve>CVE-2015-5262</cve> </suppress> <suppress> <gav regex="true">^org\.apache\.httpcomponents:httpmime:.*$</gav> <cve>CVE-2011-1498</cve> <cve>CVE-2014-3577</cve> <cve>CVE-2015-5262</cve> </suppress> <!-- Jetty 8 - False positive, found in a ehcache POM file --> <suppress> <notes><![CDATA[ ehcache-2.10.0.jar ]]></notes> <gav regex="true">^org\.eclipse\.jetty:jetty-continuation:.*$</gav> <cve>CVE-2017-9735</cve> <cve>CVE-2017-7656</cve> <cve>CVE-2017-7657</cve> <cve>CVE-2017-7658</cve> </suppress> <suppress> <notes><![CDATA[ ehcache-2.10.0.jar ]]></notes> <gav regex="true">^org\.eclipse\.jetty:jetty-http:.*$</gav> <cve>CVE-2017-9735</cve> <cve>CVE-2017-7656</cve> <cve>CVE-2017-7657</cve> <cve>CVE-2017-7658</cve> </suppress> <suppress> <notes><![CDATA[ ehcache-2.10.0.jar ]]></notes> <gav regex="true">^org\.eclipse\.jetty:jetty-security:.*$</gav> <cve>CVE-2017-9735</cve> <cve>CVE-2017-7656</cve> <cve>CVE-2017-7657</cve> <cve>CVE-2017-7658</cve> </suppress> <suppress> <notes><![CDATA[ ehcache-2.10.0.jar ]]></notes> <gav regex="true">^org\.eclipse\.jetty:jetty-server:.*$</gav> <cve>CVE-2017-9735</cve> <cve>CVE-2017-7656</cve> <cve>CVE-2017-7657</cve> <cve>CVE-2017-7658</cve> </suppress> <suppress> <notes><![CDATA[ ehcache-2.10.0.jar ]]></notes> <gav regex="true">^org\.eclipse\.jetty:jetty-servlet:.*$</gav> <cve>CVE-2017-9735</cve> <cve>CVE-2017-7656</cve> <cve>CVE-2017-7657</cve> <cve>CVE-2017-7658</cve> </suppress> <suppress> <notes><![CDATA[ ehcache-2.10.0.jar ]]></notes> <gav regex="true">^org\.eclipse\.jetty:jetty-util:.*$</gav> <cve>CVE-2017-9735</cve> <cve>CVE-2017-7656</cve> <cve>CVE-2017-7657</cve> <cve>CVE-2017-7658</cve> </suppress> <!-- Jetty 9.4.9 --> <suppress> <gav regex="true">^org\.eclipse\.jetty\.alpn:alpn-api:.*$</gav> <cve>CVE-2017-9735</cve> <!-- False positive, only affects 9.4.6 and earlier --> <cve>CVE-2017-7656</cve> <!-- False positive, only affects 9.4.10 and earlier --> <cve>CVE-2017-7657</cve> <!-- False positive, only affects 9.4.10 and earlier --> <cve>CVE-2017-7658</cve> <!-- False positive, only affects 9.4.10 and earlier --> </suppress> <suppress> <gav regex="true">^org\.eclipse\.jetty\.orbit:javax\.security\.auth\.message:.*$</gav> <cve>CVE-2017-9735</cve> <!-- False positive, only affects 9.4.6 and earlier --> <cve>CVE-2017-7656</cve> <!-- False positive, only affects 9.4.10 and earlier --> <cve>CVE-2017-7657</cve> <!-- False positive, only affects 9.4.10 and earlier --> <cve>CVE-2017-7658</cve> <!-- False positive, only affects 9.4.10 and earlier --> </suppress> <suppress> <gav regex="true">^org\.eclipse\.jetty\.orbit:javax\.mail\.glassfish:.*$</gav> <cve>CVE-2017-9735</cve> <!-- False positive, only affects 9.4.6 and earlier --> <cve>CVE-2017-7656</cve> <!-- False positive, only affects 9.4.10 and earlier --> <cve>CVE-2017-7657</cve> <!-- False positive, only affects 9.4.10 and earlier --> <cve>CVE-2017-7658</cve> <!-- False positive, only affects 9.4.10 and earlier --> </suppress> <suppress> <gav regex="true">^org\.eclipse\.jetty\.toolchain:jetty-schemas:.*$</gav> <cve>CVE-2007-5613</cve> <!-- False positive, only affects 6.1.6 and earlier --> <cve>CVE-2007-5614</cve> <!-- False positive, only affects 6.1.6 and earlier --> <cve>CVE-2007-5615</cve> <!-- False positive, only affects 6.1.6 and earlier --> <cve>CVE-2017-9735</cve> <!-- False positive, only affects 9.4.6 and earlier --> <cve>CVE-2017-7656</cve> <!-- False positive, only affects 9.4.10 and earlier --> <cve>CVE-2017-7657</cve> <!-- False positive, only affects 9.4.10 and earlier --> <cve>CVE-2017-7658</cve> <!-- False positive, only affects 9.4.10 and earlier --> </suppress> <!-- Jackson 2.0.2 --> <suppress> <gav regex="true">^com\.fasterxml\.jackson\.core:jackson-annotations:.*$</gav> <cve>CVE-2017-15095</cve> <!-- Only affects you if you allow to deserialize generic classes, object, serializable, etc.. --> <cve>CVE-2017-17485</cve> <!-- Only affects you if you allow to deserialize generic classes, object, serializable, etc.. --> <cve>CVE-2017-7525</cve> <!-- Only affects you if you allow to deserialize generic classes, object, serializable, etc.. --> <cve>CVE-2018-5968</cve> <!-- No Gadgets used, or DTOs are plain DTOs --> <cve>CVE-2018-7489</cve> <!-- We don't use c3p0 libraries --> </suppress> <suppress> <gav regex="true">^com\.fasterxml\.jackson\.core:jackson-databind:.*$</gav> <cve>CVE-2017-15095</cve><cve>CVE-2017-17485</cve><cve>CVE-2017-7525</cve><cve>CVE-2018-5968</cve><cve>CVE-2018-7489</cve> </suppress> <!-- Spring 4.1 --> <suppress> <gav regex="true">^springframework:spring-aop:.*$</gav> <cve>CVE-2015-0201</cve> <!-- The Java SockJS client, we don't use the web sockets client --> <cve>CVE-2015-3192</cve> <!-- DOS Attacks using crafted DTD for XML, where we use DTDs? --> <cve>CVE-2015-5211</cve> <!-- This only affects downloads where the user could give the name of the file, not the case of the DSS --> <cve>CVE-2016-5007</cve> <!-- We don't use spring security to protect controllers --> <cve>CVE-2018-1270</cve> <!-- We don't use web sockets endpoints --> <cve>CVE-2018-1271</cve> <!-- We don't deploy on Windows --> <cve>CVE-2018-1272</cve> <!-- We don't forward user input blindly to create packages from our web client --> <cve>CVE-2018-1258</cve> <!-- We don't use the web-security jar --> </suppress> <suppress> <gav regex="true">^springframework:spring-beans:.*$</gav> <cve>CVE-2018-1258</cve><cve>CVE-2015-0201</cve><cve>CVE-2015-3192</cve><cve>CVE-2015-5211</cve><cve>CVE-2016-5007</cve><cve>CVE-2018-1270</cve><cve>CVE-2018-1271</cve><cve>CVE-2018-1272</cve> </suppress> <suppress> <gav regex="true">^org\.springframework:spring-context:.*$</gav> <cve>CVE-2018-1258</cve><cve>CVE-2015-0201</cve><cve>CVE-2015-3192</cve><cve>CVE-2015-5211</cve><cve>CVE-2016-5007</cve><cve>CVE-2018-1270</cve><cve>CVE-2018-1271</cve><cve>CVE-2018-1272</cve> </suppress> <suppress> <gav regex="true">^springframework:spring-core:.*$</gav> <cve>CVE-2018-1258</cve><cve>CVE-2015-0201</cve><cve>CVE-2015-3192</cve><cve>CVE-2015-5211</cve><cve>CVE-2016-5007</cve><cve>CVE-2018-1270</cve><cve>CVE-2018-1271</cve><cve>CVE-2018-1272</cve> </suppress> <suppress> <gav regex="true">^springframework:spring-web:.*$</gav> <cve>CVE-2018-1258</cve><cve>CVE-2015-0201</cve><cve>CVE-2015-3192</cve><cve>CVE-2015-5211</cve><cve>CVE-2016-5007</cve><cve>CVE-2018-1270</cve><cve>CVE-2018-1271</cve><cve>CVE-2018-1272</cve> </suppress> <suppress> <gav regex="true">^springframework:spring-webmvc:.*$</gav> <cve>CVE-2018-1258</cve><cve>CVE-2015-0201</cve><cve>CVE-2015-3192</cve><cve>CVE-2015-5211</cve><cve>CVE-2016-5007</cve><cve>CVE-2018-1270</cve><cve>CVE-2018-1271</cve><cve>CVE-2018-1272</cve> </suppress> <suppress> <gav regex="true">^springframework:spring-expression:.*$</gav> <cve>CVE-2018-1258</cve><cve>CVE-2015-0201</cve><cve>CVE-2015-3192</cve><cve>CVE-2015-5211</cve><cve>CVE-2016-5007</cve><cve>CVE-2018-1270</cve><cve>CVE-2018-1271</cve><cve>CVE-2018-1272</cve> </suppress> <suppress> <gav regex="true">^springframework:spring-tx:.*$</gav> <cve>CVE-2018-1258</cve><cve>CVE-2015-0201</cve><cve>CVE-2015-3192</cve><cve>CVE-2015-5211</cve><cve>CVE-2016-5007</cve><cve>CVE-2018-1270</cve><cve>CVE-2018-1271</cve><cve>CVE-2018-1272</cve> </suppress> <suppress> <gav regex="true">^springframework:spring-context-support:.*$</gav> <cve>CVE-2018-1258</cve><cve>CVE-2015-0201</cve><cve>CVE-2015-3192</cve><cve>CVE-2015-5211</cve><cve>CVE-2016-5007</cve><cve>CVE-2018-1270</cve><cve>CVE-2018-1271</cve><cve>CVE-2018-1272</cve> </suppress> <suppress> <gav regex="true">^springframework:spring-jdbc:.*$</gav> <cve>CVE-2018-1258</cve><cve>CVE-2015-0201</cve><cve>CVE-2015-3192</cve><cve>CVE-2015-5211</cve><cve>CVE-2016-5007</cve><cve>CVE-2018-1270</cve><cve>CVE-2018-1271</cve><cve>CVE-2018-1272</cve> </suppress> <suppress> <gav regex="true">^org\.springframework:spring-orm:.*$</gav> <cve>CVE-2018-1258</cve><cve>CVE-2015-0201</cve><cve>CVE-2015-3192</cve><cve>CVE-2015-5211</cve><cve>CVE-2016-5007</cve><cve>CVE-2018-1270</cve><cve>CVE-2018-1271</cve><cve>CVE-2018-1272</cve> </suppress> <!-- Postgresql JDBC --> <suppress> <gav regex="true">^org\.postgresql:postgresql:.*$</gav> <cve>CVE-2017-14798</cve> <!-- Clients can't use JDBC directly and execute their own SQL --> <cve>CVE-2018-1115</cve> <!-- We don't use any admin pack --> <cve>CVE-2016-7048</cve> <!-- Don't apply to the driver --> </suppress> <!-- Jython --> <suppress> <gav regex="true">^org\.jruby\.extras:jaffl:.*$</gav> <cpe>CVE-2010-1330</cpe> <cpe>CVE-2011-4838</cpe> <cpe>CVE-2012-5370</cpe> </suppress> </suppressions>