nifi/nifi-dependency-check-maven/suppressions.xml

<?xml version="1.0" encoding="UTF-8"?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements. See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License. You may obtain a copy of the License at
  http://www.apache.org/licenses/LICENSE-2.0
  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
    <suppress>
        <notes>NiFi packages contain other project names, which can cause incorrect identification</notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.nifi.*$</packageUrl>
        <cpe regex="true">^cpe:.*$</cpe>
    </suppress>
    <suppress>
        <notes>CVE-2022-45868 requires running H2 from a command not applicable to project references</notes>
        <packageUrl regex="true">^pkg:maven/com\.h2database/h2@2.*$</packageUrl>
        <vulnerabilityName>CVE-2022-45868</vulnerabilityName>
    </suppress>
    <suppress>
        <notes>CVE-2016-1000027 does not apply to Spring Web 5.3.20 and later</notes>
        <packageUrl regex="true">^pkg:maven/org\.springframework/spring\-web@.*$</packageUrl>
        <cve>CVE-2016-1000027</cve>
    </suppress>
    <suppress>
        <notes>CVE-2020-5408 does not apply to Spring Security Crypto 5.7.1 and later</notes>
        <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-crypto@.*$</packageUrl>
        <vulnerabilityName>CVE-2020-5408</vulnerabilityName>
    </suppress>
    <suppress>
        <notes>Apache Hive vulnerabilities do not apply to Flume Hive Sink</notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.flume\.flume\-ng\-sinks/flume\-hive\-sink@.*$</packageUrl>
        <cpe>cpe:/a:apache:hive</cpe>
    </suppress>
    <suppress>
        <notes>Apache Kafka vulnerabilities do not apply to Flume Kafka Sink</notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.flume\.flume\-ng\-sinks/flume\-ng\-kafka\-sink@.*$</packageUrl>
        <cpe>cpe:/a:apache:kafka</cpe>
    </suppress>
    <suppress>
        <notes>Apache Kafka vulnerabilities do not apply to Flume Kafka Source</notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.flume\.flume\-ng\-sources/flume\-kafka\-source@.*$</packageUrl>
        <cpe>cpe:/a:apache:kafka</cpe>
    </suppress>
    <suppress>
        <notes>Apache Kafka vulnerabilities do not apply to Flume Shared Kafka</notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.flume\.flume\-shared/flume\-shared\-kafka@.*$</packageUrl>
        <cpe>cpe:/a:apache:kafka</cpe>
    </suppress>
    <suppress>
        <notes>Apache HBase vulnerabilities do not apply to Flume HBase Sink</notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.flume\.flume\-ng\-sinks/flume\-ng\-hbase\-sink@.*$</packageUrl>
        <cpe>cpe:/a:apache:hbase</cpe>
    </suppress>
    <suppress>
        <notes>Apache Solr vulnerabilities do not apply to Flume Solr Sink</notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.flume\.flume\-ng\-sinks/flume\-ng\-morphline\-solr\-sink@.*$</packageUrl>
        <cpe>cpe:/a:apache:solr</cpe>
    </suppress>
    <suppress>
        <notes>CVE-2017-10355 does not apply to Xerces 2.12.2</notes>
        <packageUrl regex="true">^pkg:maven/xerces/xercesImpl@.*$</packageUrl>
        <cve>CVE-2017-10355</cve>
    </suppress>
    <suppress>
        <notes>CVE-2020-13955 applies to Apache Calcite not Apache Calcite Druid</notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.calcite\/calcite-druid@.*$</packageUrl>
        <cve>CVE-2020-13955</cve>
    </suppress>
    <suppress>
        <notes>CVE-2018-8025 applies to HBase Server not HBase Client</notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.hbase/hbase\-client@.*$</packageUrl>
        <cve>CVE-2018-8025</cve>
    </suppress>
    <suppress>
        <notes>CVE-2019-0212 applies to HBase Server not HBase Client</notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.hbase/hbase\-client@.*$</packageUrl>
        <cve>CVE-2019-0212</cve>
    </suppress>
    <suppress>
        <notes>CVE-2007-6465 applies to Ganglia Server not Ganglia client libraries</notes>
        <packageUrl regex="true">^pkg:maven/com\.yammer\.metrics/metrics\-ganglia@.*$</packageUrl>
        <cve>CVE-2007-6465</cve>
    </suppress>
    <suppress>
        <notes>CVE-2021-43045 applies to the Apache Avro .NET SDK and not to the Java SDK</notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.avro/avro@.*$</packageUrl>
        <cve>CVE-2021-43045</cve>
    </suppress>
    <suppress>
        <notes>CVE-2022-31159 applies to AWS S3 library not the SWF libraries</notes>
        <packageUrl regex="true">^pkg:maven/com\.amazonaws/aws\-java\-sdk\-swf\-libraries@.*$</packageUrl>
        <cve>CVE-2022-31159</cve>
    </suppress>
    <suppress>
        <notes>Elasticsearch Server vulnerabilities do not apply to Elasticsearch Plugin</notes>
        <packageUrl regex="true">^pkg:maven/org\.elasticsearch\.plugin/.*?@7.*$</packageUrl>
        <cpe regex="true">^cpe:/a:elastic.*$</cpe>
    </suppress>
    <suppress>
        <notes>Elasticsearch Server vulnerabilities do not apply to elasticsearch-core</notes>
        <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch\-core@7.*$</packageUrl>
        <cpe regex="true">^cpe:/a:elastic.*$</cpe>
    </suppress>
    <suppress>
        <notes>Elasticsearch Server vulnerabilities do not apply to elasticsearch</notes>
        <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch@7.*$</packageUrl>
        <cpe regex="true">^cpe:/a:elastic.*$</cpe>
    </suppress>
    <suppress>
        <notes>Elasticsearch Server CVE-2020-7009 does not apply to elasticsearch client libraries</notes>
        <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch.*$</packageUrl>
        <cve>CVE-2020-7009</cve>
    </suppress>
    <suppress>
        <notes>Elasticsearch Server CVE-2020-7014 does not apply to elasticsearch client libraries</notes>
        <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch.*$</packageUrl>
        <cve>CVE-2020-7014</cve>
    </suppress>
    <suppress>
        <notes>CVE-2021-22145 applies to Elasticsearch Server not client libraries</notes>
        <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch@.*$</packageUrl>
        <vulnerabilityName>CVE-2021-22145</vulnerabilityName>
    </suppress>
    <suppress>
        <notes>Elasticsearch Server vulnerabilities do not apply to elasticsearch libraries</notes>
        <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch\-.*?@7.*$</packageUrl>
        <cpe regex="true">^cpe:/a:elastic.*$</cpe>
    </suppress>
    <suppress>
        <notes>Elasticsearch Server vulnerabilities do not apply to elasticsearch-rest-client</notes>
        <packageUrl regex="true">^pkg:maven/org\.elasticsearch\.client/elasticsearch\-.*?\-client@.*$</packageUrl>
        <cpe regex="true">^cpe:/a:elastic.*$</cpe>
    </suppress>
    <suppress>
        <notes>Elasticsearch Server vulnerabilities do not apply to elasticsearch-rest-client-sniffer</notes>
        <packageUrl regex="true">^pkg:maven/org\.elasticsearch\.client/elasticsearch\-.*?\-client-sniffer@.*$</packageUrl>
        <cpe regex="true">^cpe:/a:elastic.*$</cpe>
    </suppress>
    <suppress>
        <notes>CVE-2022-30187 applies to Azure Blob not the EventHubs Checkpoint Store Blob library</notes>
        <packageUrl regex="true">^pkg:maven/com\.azure/azure\-messaging\-eventhubs\-checkpointstore\-blob@.*$</packageUrl>
        <cve>CVE-2022-30187</cve>
    </suppress>
    <suppress>
        <notes>CVE-2022-39135 applies to Apache Calcite core not the Calcite Druid library</notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.calcite/calcite\-druid@.*$</packageUrl>
        <cve>CVE-2022-39135</cve>
    </suppress>
    <suppress>
        <notes>CVE-2018-1000873 applies to Jackson Java 8 Time modules not Jackson Annotations</notes>
        <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-annotations@.*$</packageUrl>
        <cve>CVE-2018-1000873</cve>
    </suppress>
    <suppress>
        <notes>CVE-2010-1151 applies to mod_auth_shadow in Apache HTTP Server not the FTP server library</notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.ftpserver/.*$</packageUrl>
        <cve>CVE-2010-1151</cve>
    </suppress>
    <suppress>
        <notes>CVE-2018-14335 applies to H2 running with a web server console enabled</notes>
        <packageUrl regex="true">^pkg:maven/com\.h2database/h2@.*$</packageUrl>
        <vulnerabilityName>CVE-2018-14335</vulnerabilityName>
    </suppress>
    <suppress>
        <notes>CVE-2023-25613 applies to an LDAP backend class for Apache Kerby not the Token Provider library</notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.kerby/token\-provider@.*$</packageUrl>
        <cve>CVE-2023-25613</cve>
    </suppress>
    <suppress>
        <notes>The Jetty Apache JSP library is not subject to Apache Tomcat vulnerabilities</notes>
        <packageUrl regex="true">^pkg:maven/org\.mortbay\.jasper/apache\-jsp@.*$</packageUrl>
        <cpe>cpe:/a:apache:tomcat</cpe>
    </suppress>
    <suppress>
        <notes>Google BigQuery Storage is not the same as the gGRPC framework library</notes>
        <packageUrl regex="true">^pkg:maven/com\.google\.api\.grpc/grpc\-google\-cloud\-bigquerystorage\-.*$</packageUrl>
        <cpe>cpe:/a:grpc:grpc</cpe>
    </suppress>
    <suppress>
        <notes>Google PubSubLite is not the same as the gRPC framework library</notes>
        <packageUrl regex="true">^pkg:maven/com\.google\.api\.grpc/grpc\-google\-cloud\-pubsublite\-v1@.*$</packageUrl>
        <cpe>cpe:/a:grpc:grpc</cpe>
    </suppress>
    <suppress>
        <notes>CVE-2020-9040 applies to Couchbase Server not the client library</notes>
        <packageUrl regex="true">^pkg:maven/com\.couchbase\.client/core\-io@.*$</packageUrl>
        <vulnerabilityName>CVE-2020-9040</vulnerabilityName>
    </suppress>
    <suppress>
        <notes>CVE-2022-41881 applies to HA Proxy components in Netty which are not used in Couchbase or other components</notes>
        <packageUrl regex="true">^pkg:maven/io\.netty/.*$</packageUrl>
        <cve>CVE-2022-41881</cve>
    </suppress>
    <suppress>
        <notes>CVE-2021-34538 applies to Apache Hive server not the Storage API library</notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.hive/hive\-storage\-api@.*$</packageUrl>
        <cve>CVE-2021-34538</cve>
    </suppress>
    <suppress>
        <notes>CVE-2018-8025 applies to HBase server not the shaded libraries</notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.hbase\.thirdparty/hbase\-shaded\-.*$</packageUrl>
        <cve>CVE-2018-8025</cve>
    </suppress>
    <suppress>
        <notes>CVE-2018-8025 applies to HBase Server not HBase libraries</notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.hbase/hbase\-.*$</packageUrl>
        <cve>CVE-2018-8025</cve>
    </suppress>
    <suppress>
        <notes>CVE-2019-0212 applies to HBase Server not HBase libraries</notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.hbase/hbase\-.*$</packageUrl>
        <cve>CVE-2019-0212</cve>
    </suppress>
    <suppress>
        <notes>Hadoop vulnerabilities do not apply to HBase Hadoop2 compatibility library</notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.hbase/hbase\-hadoop2\-compat@.*$</packageUrl>
        <cpe>cpe:/a:apache:hadoop</cpe>
    </suppress>
    <suppress>
        <notes>CVE-2022-45688 applies to hutools-json not org.json</notes>
        <packageUrl regex="true">^pkg:maven/org\.json/json@.*$</packageUrl>
        <cve>CVE-2022-45688</cve>
    </suppress>
    <suppress>
        <notes>The Jackson maintainers dispute the applicability of CVE-2023-35116 based on cyclic nature of reported concern</notes>
        <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
        <vulnerabilityName>CVE-2023-35116</vulnerabilityName>
    </suppress>
    <suppress>
        <notes>CVE-2023-25194 applies to Kafka Connect workers not client libraries</notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.kafka/kafka.*?@.*$</packageUrl>
        <cve>CVE-2023-25194</cve>
    </suppress>
    <suppress>
        <notes>CVE-2022-34917 applies to Kafka brokers not client libraries</notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.kafka/kafka.*?@.*$</packageUrl>
        <cve>CVE-2022-34917</cve>
    </suppress>
    <suppress>
        <notes>CVE-2023-25613 applies to the LDAP Identity Backend for Kerby Server which is not used in runtime NiFi configurations</notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.kerby/kerb.*?@.*$</packageUrl>
        <cve>CVE-2023-25613</cve>
    </suppress>
    <suppress>
        <notes>CVE-2022-24823 applies to Netty HTTP decoding which is not applicable to Apache Kudu clients</notes>
        <packageUrl regex="true">^pkg:maven/io\.netty/netty.*?@.*$</packageUrl>
        <cve>CVE-2022-24823</cve>
    </suppress>
    <suppress>
        <notes>CVE-2022-41915 applies to Netty HTTP decoding which is not applicable to Apache Kudu clients</notes>
        <packageUrl regex="true">^pkg:maven/io\.netty/netty.*?@.*$</packageUrl>
        <cve>CVE-2022-41915</cve>
    </suppress>
</suppressions>