2020-01-26 04:01:51 -05:00
|
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
|
|
<!--
|
|
|
|
Licensed to the Apache Software Foundation (ASF) under one or more
|
|
|
|
contributor license agreements. See the NOTICE file distributed with
|
|
|
|
this work for additional information regarding copyright ownership.
|
|
|
|
The ASF licenses this file to You under the Apache License, Version 2.0
|
|
|
|
(the "License"); you may not use this file except in compliance with
|
|
|
|
the License. You may obtain a copy of the License at
|
|
|
|
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
limitations under the License.
|
|
|
|
-->
|
|
|
|
|
|
|
|
<!-- See https://jeremylong.github.io/DependencyCheck/general/suppression.html for usage.
|
|
|
|
Simply view the HTML report generated in ./build/reports/dependency-check-report.html
|
|
|
|
and click the "suppress" button next to the CVE you wish to suppress to copy the xml fragment
|
|
|
|
-->
|
|
|
|
|
|
|
|
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
|
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[
|
|
|
|
file name: simple-xml-safe-2.7.1.jar
|
|
|
|
We use a safe fork that fixes this
|
|
|
|
]]></notes>
|
|
|
|
<packageUrl regex="true">^pkg:maven/com\.carrotsearch\.thirdparty/simple\-xml\-safe@.*$</packageUrl>
|
|
|
|
<cve>CVE-2017-1000190</cve>
|
|
|
|
</suppress>
|
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[
|
|
|
|
file name: netty-transport-native-epoll-4.1.29.Final.jar
|
|
|
|
We only use netty as a client towards Zookeeper
|
|
|
|
]]></notes>
|
|
|
|
<packageUrl regex="true">^pkg:maven/io\.netty/netty\-.*@.*$</packageUrl>
|
|
|
|
<cpe>cpe:/a:netty:netty</cpe>
|
|
|
|
</suppress>
|
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[
|
|
|
|
file name: dirgra-0.3.jar
|
|
|
|
We will sandbox JRuby
|
|
|
|
]]></notes>
|
|
|
|
<packageUrl regex="true">^pkg:maven/org\.jruby/dirgra@.*$</packageUrl>
|
|
|
|
<cpe>cpe:/a:jruby:jruby</cpe>
|
|
|
|
</suppress>
|
2020-01-27 15:03:20 -05:00
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[
|
|
|
|
file name: derby-10.9.1.0.jar
|
|
|
|
Only used in tests and dih-example
|
|
|
|
]]></notes>
|
|
|
|
<packageUrl regex="true">^pkg:maven/org\.apache\.derby/derby@.*$</packageUrl>
|
|
|
|
<cpe>cpe:/a:apache:derby</cpe>
|
|
|
|
</suppress>
|
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[
|
|
|
|
file name: derby-10.9.1.0.jar
|
|
|
|
Only used in tests and dih-example
|
|
|
|
]]></notes>
|
|
|
|
<packageUrl regex="true">^pkg:maven/org\.apache\.derby/derby@.*$</packageUrl>
|
|
|
|
<vulnerabilityName>CVE-2015-1832</vulnerabilityName>
|
|
|
|
</suppress>
|
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[
|
|
|
|
file name: derby-10.9.1.0.jar
|
|
|
|
Only used in tests and dih-example
|
|
|
|
]]></notes>
|
|
|
|
<packageUrl regex="true">^pkg:maven/org\.apache\.derby/derby@.*$</packageUrl>
|
|
|
|
<vulnerabilityName>CVE-2018-1313</vulnerabilityName>
|
|
|
|
</suppress>
|
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[
|
|
|
|
file name: carrot2-guava-18.0.jar
|
|
|
|
Only used with clustering engine, and the risk is DOS attack
|
|
|
|
]]></notes>
|
|
|
|
<packageUrl regex="true">^pkg:maven/org\.carrot2\.shaded/carrot2\-guava@.*$</packageUrl>
|
|
|
|
<cpe>cpe:/a:google:guava</cpe>
|
|
|
|
</suppress>
|
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[
|
|
|
|
file name: carrot2-guava-18.0.jar (shaded: com.google.guava:guava:18.0)
|
|
|
|
Only used with clustering engine, and the risk is DOS attack
|
|
|
|
]]></notes>
|
|
|
|
<packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
|
|
|
|
<cve>CVE-2018-10237</cve>
|
|
|
|
</suppress>
|
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[
|
|
|
|
file name: org.restlet.ext.servlet-2.3.0.jar
|
|
|
|
]]></notes>
|
|
|
|
<packageUrl regex="true">^pkg:maven/org\.restlet\.jee/org\.restlet\.ext\.servlet@.*$</packageUrl>
|
|
|
|
<cpe>cpe:/a:restlet:restlet_framework</cpe>
|
|
|
|
</suppress>
|
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[
|
|
|
|
file name: org.restlet.ext.servlet-2.3.0.jar
|
|
|
|
]]></notes>
|
|
|
|
<packageUrl regex="true">^pkg:maven/org\.restlet\.jee/org\.restlet\.ext\.servlet@.*$</packageUrl>
|
|
|
|
<cpe>cpe:/a:restlet:restlet</cpe>
|
|
|
|
</suppress>
|
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[
|
|
|
|
file name: org.restlet-2.3.0.jar
|
|
|
|
We don't use class SimpleXMLProvider
|
|
|
|
]]></notes>
|
|
|
|
<packageUrl regex="true">^pkg:maven/org\.restlet\.jee/org\.restlet@.*$</packageUrl>
|
|
|
|
<cve>CVE-2017-14868</cve>
|
|
|
|
</suppress>
|
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[
|
|
|
|
file name: org.restlet-2.3.0.jar
|
|
|
|
We don't use class XmlRepresentation
|
|
|
|
]]></notes>
|
|
|
|
<packageUrl regex="true">^pkg:maven/org\.restlet\.jee/org\.restlet@.*$</packageUrl>
|
|
|
|
<cve>CVE-2017-14949</cve>
|
|
|
|
</suppress>
|
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[
|
|
|
|
file name: solr-webapp-9.0.0-SNAPSHOT.war: jquery-2.1.3.min.js
|
|
|
|
This is already being fixed in SOLR-14209 so muting the warning
|
|
|
|
]]></notes>
|
|
|
|
<packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
|
|
|
|
<cve>CVE-2015-9251</cve>
|
|
|
|
</suppress>
|
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[
|
|
|
|
file name: solr-webapp-9.0.0-SNAPSHOT.war: jquery-2.1.3.min.js
|
|
|
|
]]></notes>
|
|
|
|
<packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
|
|
|
|
<cve>CVE-2019-11358</cve>
|
|
|
|
</suppress>
|
2020-01-26 04:01:51 -05:00
|
|
|
</suppressions>
|