forked from hazelcast/hazelcast
-
Notifications
You must be signed in to change notification settings - Fork 0
/
owasp-check-suppressions.xml
114 lines (114 loc) · 5.22 KB
/
owasp-check-suppressions.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress>
<notes><![CDATA[
False positive. The hazelcast:hazelcast component vulnerabilities are related to Hazelcast IMDG version and not the integration - hazelcast-gcp.
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.hazelcast/hazelcast-gcp@.*$</packageUrl>
<cpe>cpe:/a:hazelcast:hazelcast</cpe>
</suppress>
<suppress>
<notes><![CDATA[
False positive. The hazelcast:hazelcast component vulnerabilities are related to Hazelcast IMDG version and not the integration - hazelcast-azure.
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.hazelcast/hazelcast-azure@.*$</packageUrl>
<cpe>cpe:/a:hazelcast:hazelcast</cpe>
</suppress>
<suppress>
<notes><![CDATA[
False positive. The hazelcast:hazelcast component vulnerabilities are related to Hazelcast IMDG version and not the integration - hazelcast-wm.
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.hazelcast/hazelcast-wm@.*$</packageUrl>
<cpe>cpe:/a:hazelcast:hazelcast</cpe>
</suppress>
<suppress>
<notes><![CDATA[
False positive. The Avatica version is not related to the Calcite version.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.calcite\.avatica/avatica\-core@.*$</packageUrl>
<cpe>cpe:/a:apache:calcite</cpe>
</suppress>
<suppress>
<notes><![CDATA[
False positive. The flaws are relatated to the Hazelcast version and not the jsurfer.
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.hazelcast\.jsurfer/jsurfer\-.*$</packageUrl>
<cpe>cpe:/a:hazelcast:hazelcast</cpe>
</suppress>
<suppress>
<notes><![CDATA[
False positive. The flaws are relatated to the postgres version and not the debezium-connector-postgres.
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.debezium/debezium\-connector\-postgres@.*$</packageUrl>
<cpe>cpe:/a:postgresql:postgresql</cpe>
</suppress>
<suppress>
<notes><![CDATA[
False positive. The flaws are relatated to the Hadoop version and not the shaded guava.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.hadoop\.thirdparty/hadoop\-shaded\-guava@.*$</packageUrl>
<cpe>cpe:/a:apache:hadoop</cpe>
</suppress>
<suppress>
<notes><![CDATA[
False positive. The flaws are relatated to the Hadoop version and not the shaded protobuf.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.hadoop\.thirdparty/hadoop\-shaded\-protobuf_3_7@.*$</packageUrl>
<cpe>cpe:/a:apache:hadoop</cpe>
</suppress>
<suppress>
<notes><![CDATA[
False positive. The flaws are relatated to the MySQL version and not the MySQL Binary Log connector.
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.github\.shyiko/mysql\-binlog\-connector\-java@.*$</packageUrl>
<cpe>cpe:/a:mysql:mysql</cpe>
</suppress>
<suppress>
<notes><![CDATA[
False positive. The flaws are relatated to the MySQL version and not the MySQL Binary Log connector.
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.zendesk/mysql\-binlog\-connector\-java@.*$</packageUrl>
<cpe>cpe:/a:mysql:mysql</cpe>
</suppress>
<suppress>
<notes><![CDATA[
False positive. The flaws are relatated to the MySQL version and not the MySQL Debezium connector.
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.debezium/debezium\-connector\-mysql@.*$</packageUrl>
<cpe>cpe:/a:mysql:mysql</cpe>
</suppress>
<suppress>
<notes><![CDATA[
False positive. The flaws are relatated to the WildFly and OpenSSL version and not the wildfly-openssl library.
The OpenSSL is linked dynamically in the wildly-openssl.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.wildfly\.openssl/wildfly\-openssl.*@.*$</packageUrl>
<cpe>cpe:/a:openssl:openssl</cpe>
<cpe>cpe:/a:redhat:openssl</cpe>
<cpe>cpe:/a:redhat:wildfly</cpe>
<cpe>cpe:/a:wildfly:wildfly</cpe>
</suppress>
<suppress>
<notes><![CDATA[
The memory leak was fixed already in the wildfly-openssl-1.0.11.Final.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.wildfly\.openssl/wildfly\-openssl.*@1\.0\.12.*$</packageUrl>
<cve>CVE-2020-25644</cve>
</suppress>
<suppress>
<notes><![CDATA[
False positive - these log4j CVEs have the fixes present in the version 1.2.17.redhat-00008.
]]></notes>
<packageUrl regex="true">^pkg:maven/log4j/log4j@.*$</packageUrl>
<cve>CVE-2020-9488</cve>
<cve>CVE-2020-9493</cve>
<cve>CVE-2022-23307</cve>
</suppress>
<suppress>
<notes><![CDATA[
False positive - google-http-client-gson-.*.jar incorrectly identified as gson.
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.google\.http\-client/google\-http\-client\-gson@.*$</packageUrl>
<cpe>cpe:/a:google:gson</cpe>
</suppress>
</suppressions>