SOLR-11207: Mute warnings for owasp false positives

2025-02-08 11:05:29 +00:00 · 2020-01-27 21:03:20 +01:00 · 2020-01-27 21:03:20 +01:00 · 53f7b394e4
commit 53f7b394e4
parent ff635cf701
1 changed files with 85 additions and 0 deletions
--- a/gradle/validation/owasp-dependency-check/exclusions.xml
+++ b/gradle/validation/owasp-dependency-check/exclusions.xml
@ -46,4 +46,89 @@
    <packageUrl regex="true">^pkg:maven/org\.jruby/dirgra@.*$</packageUrl>
    <cpe>cpe:/a:jruby:jruby</cpe>
  </suppress>
  <suppress>
    <notes><![CDATA[
   file name: derby-10.9.1.0.jar
   Only used in tests and dih-example
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.apache\.derby/derby@.*$</packageUrl>
    <cpe>cpe:/a:apache:derby</cpe>
  </suppress>
  <suppress>
    <notes><![CDATA[
   file name: derby-10.9.1.0.jar
   Only used in tests and dih-example
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.apache\.derby/derby@.*$</packageUrl>
    <vulnerabilityName>CVE-2015-1832</vulnerabilityName>
  </suppress>
  <suppress>
    <notes><![CDATA[
   file name: derby-10.9.1.0.jar
   Only used in tests and dih-example
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.apache\.derby/derby@.*$</packageUrl>
    <vulnerabilityName>CVE-2018-1313</vulnerabilityName>
  </suppress>
  <suppress>
    <notes><![CDATA[
   file name: carrot2-guava-18.0.jar
   Only used with clustering engine, and the risk is DOS attack
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.carrot2\.shaded/carrot2\-guava@.*$</packageUrl>
    <cpe>cpe:/a:google:guava</cpe>
  </suppress>
  <suppress>
    <notes><![CDATA[
   file name: carrot2-guava-18.0.jar (shaded: com.google.guava:guava:18.0)
   Only used with clustering engine, and the risk is DOS attack
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
    <cve>CVE-2018-10237</cve>
  </suppress>
  <suppress>
    <notes><![CDATA[
   file name: org.restlet.ext.servlet-2.3.0.jar
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.restlet\.jee/org\.restlet\.ext\.servlet@.*$</packageUrl>
    <cpe>cpe:/a:restlet:restlet_framework</cpe>
  </suppress>
  <suppress>
    <notes><![CDATA[
   file name: org.restlet.ext.servlet-2.3.0.jar
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.restlet\.jee/org\.restlet\.ext\.servlet@.*$</packageUrl>
    <cpe>cpe:/a:restlet:restlet</cpe>
  </suppress>
  <suppress>
    <notes><![CDATA[
   file name: org.restlet-2.3.0.jar
   We don't use class SimpleXMLProvider
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.restlet\.jee/org\.restlet@.*$</packageUrl>
    <cve>CVE-2017-14868</cve>
  </suppress>
  <suppress>
    <notes><![CDATA[
   file name: org.restlet-2.3.0.jar
   We don't use class XmlRepresentation
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.restlet\.jee/org\.restlet@.*$</packageUrl>
    <cve>CVE-2017-14949</cve>
  </suppress>
  <suppress>
    <notes><![CDATA[
   file name: solr-webapp-9.0.0-SNAPSHOT.war: jquery-2.1.3.min.js
   This is already being fixed in SOLR-14209 so muting the warning
   ]]></notes>
    <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
    <cve>CVE-2015-9251</cve>
  </suppress>
  <suppress>
    <notes><![CDATA[
   file name: solr-webapp-9.0.0-SNAPSHOT.war: jquery-2.1.3.min.js
   ]]></notes>
    <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
    <cve>CVE-2019-11358</cve>
  </suppress>
 </suppressions>