Suppress CVEs

2022-11-02 14:33:46 +05:30 · 2022-11-02 14:33:46 +05:30 · ed55baa8fa
parent 8f60ad15b3
commit ed55baa8fa
1 changed files with 55 additions and 3 deletions
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@ -220,6 +220,15 @@
      <cve>CVE-2018-1320</cve>
      <cve>CVE-2019-0205</cve>
  </suppress>
+  <suppress>
+    <!-- TODO: Fix by using com.datastax.oss:java-driver-core instead of com.netflix.astyanax:astyanax in extensions-contrib/cassandra-storage     -->
+    <notes><![CDATA[
+    file name: jettison-1.*.jar
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.codehaus\.jettison/jettison@1.*$</packageUrl>
+    <cve>CVE-2022-40149</cve>
+    <cve>CVE-2022-40150</cve>
+  </suppress>
  <suppress>
    <!-- TODO: Fix by using com.datastax.oss:java-driver-core instead of com.netflix.astyanax:astyanax in extensions-contrib/cassandra-storage -->
    <notes><![CDATA[
@ -315,6 +324,13 @@
    <cve>CVE-2019-12399</cve>
    <cve>CVE-2018-17196</cve>
  </suppress>
+  <suppress>
+    <notes><![CDATA[
+    file name: kafka-clients-3.2.0.jar
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.apache\.kafka/kafka\-clients@.*$</packageUrl>
+    <cve>CVE-2022-34917</cve>
+  </suppress>
  <suppress>
    <!--
      ~ TODO: Fix when Apache Ranger is released with updated log4j
@ -429,8 +445,17 @@
     <packageUrl regex="true">^pkg:maven/org\.codehaus\.jackson/jackson-(xc|jaxrs)@1.9.*$</packageUrl>
     <cve>CVE-2018-14718</cve>
     <cve>CVE-2018-7489</cve>
+     <cve>CVE-2022-42003</cve>
+     <cve>CVE-2022-42004</cve>
+  </suppress>
+  <suppress>
+    <!-- aliyun-oss -->
+    <notes><![CDATA[
+    file name: ini4j-0.5.4.jar
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.ini4j/ini4j@.*$</packageUrl>
+    <vulnerabilityName>CVE-2022-41404</vulnerabilityName>
  </suppress>
-
  <suppress>
    <!-- Transitive dependency from apache-ranger, latest ranger version 2.1.0 still uses solr 7.7.1-->
    <notes><![CDATA[
@ -633,8 +658,15 @@
   file name: avatica-server-1.17.0.jar
   ]]></notes>
    <cve>CVE-2022-36364</cve>
+    <cve>CVE-2022-39135</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+    file name: calcite-core-1.21.0.jar
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.apache\.calcite/calcite\-core@.*$</packageUrl>
+    <cve>CVE-2020-13955</cve>
  </suppress>
-
  <suppress>
    <!-- False positive. 42.3.3 is not affected by the CVE. And we don't use Resultset.refreshRow method either  -->
    <notes><![CDATA[
@ -642,5 +674,25 @@
   ]]></notes>
    <cve>CVE-2022-31197</cve>
  </suppress>
-
+  <suppress>
+     <notes><![CDATA[
+     file name: d3-color:2.0.0
+     ]]></notes>
+     <packageUrl regex="true">^pkg:npm/d3\-color@.*$</packageUrl>
+     <vulnerabilityName>1084597</vulnerabilityName>
+   </suppress>
+   <suppress>
+     <notes><![CDATA[
+     file name: protobuf-java-3.11.0.jar
+     ]]></notes>
+     <packageUrl regex="true">^pkg:maven/com\.google\.protobuf/protobuf\-java@.*$</packageUrl>
+     <cve>CVE-2022-3171</cve>
+   </suppress>
+   <suppress>
+     <notes><![CDATA[
+     file name: protobuf-java-util-3.11.0.jar
+     ]]></notes>
+     <packageUrl regex="true">^pkg:maven/com\.google\.protobuf/protobuf\-java\-util@.*$</packageUrl>
+     <cve>CVE-2022-3171</cve>
+   </suppress>
 </suppressions>