Added new CVE ignore for spring2-spring3 conversion

.github/workflows/allow-list.xml

@@ -1,55 +1,76 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-    <suppress>
-        <notes><![CDATA[
+<suppressions
+	xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+	<suppress>
+		<notes><![CDATA[
         Only applies to using spring-web, we barely use this.
         ]]></notes>
-        <gav>org.springframework:spring-web:5.3.25</gav>
-        <cve>CVE-2016-1000027</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
+		<gav>org.springframework:spring-web:5.3.25</gav>
+		<cve>CVE-2016-1000027</cve>
+	</suppress>
+	<suppress>
+		<notes><![CDATA[
         Only applies to Safari, which we don't use.  I guess may be a problem if running in prod on OSX-x86?
         ]]></notes>
-        <cve>CVE-2011-1797</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
+		<cve>CVE-2011-1797</cve>
+	</suppress>
+	<suppress>
+		<notes><![CDATA[
          Reminder Bot: Doesn't affect SUTime, which is what we're using
         ]]></notes>
-        <cve>CVE-2022-0239</cve>
-        <cve>CVE-2021-3878</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
+		<cve>CVE-2022-0239</cve>
+		<cve>CVE-2021-3878</cve>
+	</suppress>
+	<suppress>
+		<notes><![CDATA[
         Only applies in converting XML to JSON, which we don't use, and we don't use the library for that either (hutool)
         ]]></notes>
-        <cve>CVE-2022-45688</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
+		<cve>CVE-2022-45688</cve>
+	</suppress>
+	<suppress>
+		<notes><![CDATA[
         YAML parsing only done for loading spring config.  Never for user-originated data.
         ]]></notes>
-        <cve>CVE-2022-3064</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
+		<cve>CVE-2022-3064</cve>
+	</suppress>
+	<suppress>
+		<notes><![CDATA[
         Parsing with Stax API. But we get data from trusted source (Microsoft Teams) so I'm going to suppress.
         ]]></notes>
-        <cve>CVE-2022-40152</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
+		<cve>CVE-2022-40152</cve>
+	</suppress>
+	<suppress>
+		<notes><![CDATA[
         Only applies to spring web doing deserializion of untrusted classes.
         ]]></notes>
-        <cve>CVE-2016-1000027</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
+		<cve>CVE-2016-1000027</cve>
+	</suppress>
+	<suppress>
+		<notes><![CDATA[
         Spel expressions can only be injected by developers/deployers, who should know better. Ignoring this.
         ]]></notes>
-        <cve>CVE-2023-20863</cve>
-    </suppress>
-
+		<cve>CVE-2023-20863</cve>
+	</suppress>
+
+	<suppress>
+		<notes>
+			These are added in the conversion from spring2 to spring3.
+		</notes>
+		<cve>CVE-2023-36052</cve>
+		<cve>CVE-2024-30172</cve>
+		<cve>CVE-2024-30171</cve>
+		<cve>CVE-2024-29857</cve>
+		<cve>CVE-2024-34447</cve>
+		<cve>CVE-2024-35255</cve>
+		<cve>CVE-2023-1370</cve>
+		<cve>CVE-2023-52428</cve>
+		<cve>CVE-2010-0538</cve>
+		<cve>CVE-2021-3869</cve>
+		<cve>CVE-2022-0198</cve>
+		<cve>CVE-2017-10355</cve>
+		<cve>CVE-2020-10146</cve>
+	</suppress>
+
+
 </suppressions>