SOLR-11207: Mute warnings for owasp false positives

2020-01-27 21:03:20 +01:00 · 2020-01-27 21:03:20 +01:00 · 53f7b394e4
parent ff635cf701
commit 53f7b394e4
1 changed files with 85 additions and 0 deletions
--- a/gradle/validation/owasp-dependency-check/exclusions.xml
+++ b/gradle/validation/owasp-dependency-check/exclusions.xml
@ -46,4 +46,89 @@
    <packageUrl regex="true">^pkg:maven/org\.jruby/dirgra@.*$</packageUrl>
    <cpe>cpe:/a:jruby:jruby</cpe>
  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: derby-10.9.1.0.jar
+   Only used in tests and dih-example
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.apache\.derby/derby@.*$</packageUrl>
+    <cpe>cpe:/a:apache:derby</cpe>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: derby-10.9.1.0.jar
+   Only used in tests and dih-example
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.apache\.derby/derby@.*$</packageUrl>
+    <vulnerabilityName>CVE-2015-1832</vulnerabilityName>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: derby-10.9.1.0.jar
+   Only used in tests and dih-example
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.apache\.derby/derby@.*$</packageUrl>
+    <vulnerabilityName>CVE-2018-1313</vulnerabilityName>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: carrot2-guava-18.0.jar
+   Only used with clustering engine, and the risk is DOS attack
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.carrot2\.shaded/carrot2\-guava@.*$</packageUrl>
+    <cpe>cpe:/a:google:guava</cpe>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: carrot2-guava-18.0.jar (shaded: com.google.guava:guava:18.0)
+   Only used with clustering engine, and the risk is DOS attack
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
+    <cve>CVE-2018-10237</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: org.restlet.ext.servlet-2.3.0.jar
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.restlet\.jee/org\.restlet\.ext\.servlet@.*$</packageUrl>
+    <cpe>cpe:/a:restlet:restlet_framework</cpe>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: org.restlet.ext.servlet-2.3.0.jar
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.restlet\.jee/org\.restlet\.ext\.servlet@.*$</packageUrl>
+    <cpe>cpe:/a:restlet:restlet</cpe>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: org.restlet-2.3.0.jar
+   We don't use class SimpleXMLProvider
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.restlet\.jee/org\.restlet@.*$</packageUrl>
+    <cve>CVE-2017-14868</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: org.restlet-2.3.0.jar
+   We don't use class XmlRepresentation
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.restlet\.jee/org\.restlet@.*$</packageUrl>
+    <cve>CVE-2017-14949</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: solr-webapp-9.0.0-SNAPSHOT.war: jquery-2.1.3.min.js
+   This is already being fixed in SOLR-14209 so muting the warning
+   ]]></notes>
+    <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
+    <cve>CVE-2015-9251</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: solr-webapp-9.0.0-SNAPSHOT.war: jquery-2.1.3.min.js
+   ]]></notes>
+    <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
+    <cve>CVE-2019-11358</cve>
+  </suppress>
 </suppressions>