chore: update suppressions for new false positives (#86)

openrewrite · Dec 8, 2022 · 9aae71b · 9aae71b
1 parent b2bce50
commit 9aae71b
Showing 1 changed file with 17 additions and 7 deletions.
diff --git a/suppressions.xml b/suppressions.xml
@@ -1,12 +1,22 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-    <suppress until="2022-11-17Z">
+    <suppress until="2023-01-07Z">
         <notes><![CDATA[
-                file name: jackson-databind-2.13.4.jar
-                sev:HIGH
-                In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
-            ]]></notes>
-        <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\[email protected].*$</packageUrl>
-        <cve>CVE-2022-42003</cve>
+        file name: woodstox-core-6.3.1.jar
+        Severity: HIGH
+        False positive. We do not use woodstox and it will be updated with the next spring cloud
+        dependencies.
+    ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.fasterxml\.woodstox/woodstox\-core@.*$</packageUrl>
+        <vulnerabilityName>CVE-2022-40152</vulnerabilityName>
+    </suppress>
+    <suppress until="2023-01-07Z">
+        <notes><![CDATA[
+            file name: snakeyaml-1.33.jar
+            Severity: HIGH
+            False positive: We are not parsing untrusted user input. Not used in this repository.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
+        <cve>CVE-2022-1471</cve>
     </suppress>
 </suppressions>