From 9aae71b515417871cbd2ea1d5f62acf1ae2bb636 Mon Sep 17 00:00:00 2001
From: Nate Danner <nate@moderne.io>
Date: Thu, 8 Dec 2022 11:43:33 -0800
Subject: [PATCH] chore: update suppressions for new false positives (#86)

---
 suppressions.xml | 24 +++++++++++++++++-------
 1 file changed, 17 insertions(+), 7 deletions(-)

diff --git a/suppressions.xml b/suppressions.xml
index 3222f4c..b2e7f34 100644
--- a/suppressions.xml
+++ b/suppressions.xml
@@ -1,12 +1,22 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-    <suppress until="2022-11-17Z">
+    <suppress until="2023-01-07Z">
         <notes><![CDATA[
-                file name: jackson-databind-2.13.4.jar
-                sev:HIGH
-                In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
-            ]]></notes>
-        <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@2.13.4.*$</packageUrl>
-        <cve>CVE-2022-42003</cve>
+        file name: woodstox-core-6.3.1.jar
+        Severity: HIGH
+        False positive. We do not use woodstox and it will be updated with the next spring cloud
+        dependencies.
+    ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.fasterxml\.woodstox/woodstox\-core@.*$</packageUrl>
+        <vulnerabilityName>CVE-2022-40152</vulnerabilityName>
+    </suppress>
+    <suppress until="2023-01-07Z">
+        <notes><![CDATA[
+            file name: snakeyaml-1.33.jar
+            Severity: HIGH
+            False positive: We are not parsing untrusted user input. Not used in this repository.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
+        <cve>CVE-2022-1471</cve>
     </suppress>
 </suppressions>
\ No newline at end of file