forked from hmcts/idam-web-public
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdependency-check-suppressions.xml
269 lines (245 loc) · 11 KB
/
dependency-check-suppressions.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
<!-- This affects Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and
possibly other Linux distributions which does not overlap with our Prod environment. -->
<suppress>
<notes><![CDATA[
file name: tomcat-annotations-api-8.5.29.jar
]]></notes>
<gav regex="true">^org\.apache\.tomcat:tomcat-annotations-api:.*$</gav>
<cve>CVE-2016-5425</cve>
</suppress>
<!-- This affects Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and
JBoss EWS 2 which does not overlap with our Prod environment. -->
<suppress>
<notes><![CDATA[
file name: tomcat-annotations-api-8.5.29.jar
]]></notes>
<gav regex="true">^org\.apache\.tomcat:tomcat-annotations-api:.*$</gav>
<cve>CVE-2016-6325</cve>
</suppress>
<!-- This affects Debian and Ubuntu which does not overlap with our Prod environment. -->
<suppress>
<notes><![CDATA[
file name: tomcat-annotations-api-8.5.29.jar
]]></notes>
<gav regex="true">^org\.apache\.tomcat:tomcat-annotations-api:.*$</gav>
<cve>CVE-2017-6056</cve>
</suppress>
<!-- This CVE is about Drupal, no clear link with Java -->
<suppress>
<notes><![CDATA[
file name: mapstruct-1.1.0.Final.jar
]]></notes>
<gav regex="true">^org\.mapstruct:mapstruct:.*$</gav>
<cve>CVE-2013-4499</cve>
</suppress>
<!-- This CVE is about JSTL in conjunction with XML/XSLT tags, we do not use these tags -->
<suppress>
<notes><![CDATA[
file name: jstl-1.2.jar
]]></notes>
<gav regex="true">^.*$</gav>
<cve>CVE-2015-0254</cve>
</suppress>
<!-- This CVE is about Spring Security in combination with Spring Framework 5.0.5.RELEASE - we do not use
Spring 5 -->
<suppress>
<notes><![CDATA[
This suppresses false positives identified on Spring Security.
]]></notes>
<gav regex="true">^org\.springframework:spring-.*$</gav>
<cve>CVE-2018-1258</cve>
</suppress>
<!-- This CVE is Java serialization in Guava -->
<suppress>
<notes><![CDATA[
This suppresses false positives identified on Guava
]]></notes>
<gav regex="true">^com.google.guava:guava:.*$</gav>
<cve>CVE-2018-10237</cve>
</suppress>
<!-- This CVE is about EventData in Slf4j -->
<suppress>
<notes><![CDATA[
This suppresses false positives identified on Slf4j
]]></notes>
<gav regex="true">^^.*slf4j.*$$</gav>
<cve>CVE-2018-8088</cve>
</suppress>
<!-- Ignored as we don't do XML parsing. -->
<suppress>
<notes><![CDATA[
file name: javax.json-api-1.1.x.jar
]]></notes>
<gav regex="true">^javax\.json:javax\.json-api:1\.1.*$</gav>
<cve>CVE-2018-1000840</cve>
</suppress>
<!-- Ignored. -->
<suppress>
<notes><![CDATA[
file name: pmd-java-5.6.1.jar
]]></notes>
<gav regex="true">^net\.sourceforge\.pmd:pmd-java:.*$</gav>
<cve>CVE-2019-7722</cve>
</suppress>
<!-- Ignored. -->
<suppress>
<notes><![CDATA[
file name: pmd-core-5.6.1.jar
]]></notes>
<gav regex="true">^net\.sourceforge\.pmd:pmd-core:.*$</gav>
<cve>CVE-2019-7722</cve>
</suppress>
<!-- Suppressing as it seems a false positive as per https://github.com/jeremylong/DependencyCheck/issues/1573 -->
<suppress>
<notes><![CDATA[Shadowed dependency from AppInsights]]></notes>
<gav regex="true">^io\.netty:netty-tcnative-boringssl-static:2\.0\.17\.Final$</gav>
<cve>CVE-2014-3488</cve>
<cve>CVE-2015-2156</cve>
</suppress>
<!-- https://github.com/jeremylong/DependencyCheck/issues/1573
false positive matching on name -->
<suppress>
<notes>suppress false positives matching just the netty name</notes>
<gav regex="true">^.*$</gav>
<cve>CVE-2014-3488</cve>
<cve>CVE-2016-4970</cve>
<cve>CVE-2015-2156</cve>
</suppress>
<!-- Ignored since we are not using Spring Framework 5.0.5 -->
<suppress>
<notes>suppress false positives - only relevant to spring.framework 5.0.5</notes>
<gav regex="true">^org\.springframework\.security:spring-security.*$</gav>
<cve>CVE-2018-1258</cve>
</suppress>
<!--
This vulnerability can only be explored if mysql connector is in the application classpath,
hence not relevant to us.
-->
<suppress>
<notes>suppress false positives - only relevant if mysql connector is in the classpath</notes>
<gav regex="true">^com\.fasterxml\.jackson\.core:jackson-databind.*$</gav>
<cve>CVE-2019-12086</cve>
</suppress>
<!--
This vulnerability can only be explored if ehcache is in the application classpath,
hence not relevant to us.
-->
<suppress>
<notes>only relevant if ehcache is used</notes>
<gav regex="true">^com\.fasterxml\.jackson\.core:jackson-databind.*$</gav>
<cve>CVE-2019-14379</cve>
</suppress>
<!--
This vulnerability can only be explored if default typing is enabled in ObjectMapper.
-->
<suppress>
<notes>only relevant if objectMapper.enableDefaultTyping</notes>
<gav regex="true">^com\.fasterxml\.jackson\.core:jackson-databind.*$</gav>
<cve>CVE-2019-14439</cve>
</suppress>
<suppress>
<notes>suppress false positives - only relevant to tomcat <= 8.4</notes>
<gav regex="true">^org\.apache\.tomcat:tomcat-annotations-api:.*$</gav>
<cve>CVE-2000-0672</cve>
<cve>CVE-2000-0760</cve>
<cve>CVE-2000-1210</cve>
<cve>CVE-2001-0590</cve>
<cve>CVE-2002-0493</cve>
<cve>CVE-2002-1148</cve>
<cve>CVE-2002-2006</cve>
<cve>CVE-2003-0042</cve>
<cve>CVE-2003-0043</cve>
<cve>CVE-2003-0044</cve>
<cve>CVE-2003-0045</cve>
<cve>CVE-2005-4838</cve>
<cve>CVE-2006-7196</cve>
<cve>CVE-2007-0450</cve>
<cve>CVE-2007-1358</cve>
<cve>CVE-2007-2449</cve>
<cve>CVE-2008-0128</cve>
<cve>CVE-2009-2696</cve>
<cve>CVE-2009-3548</cve>
<cve>CVE-2012-5568</cve>
<cve>CVE-2013-2185</cve>
<cve>CVE-2013-4286</cve>
<cve>CVE-2013-4322</cve>
<cve>CVE-2013-4444</cve>
<cve>CVE-2005-0808</cve>
<cve>CVE-2013-4590</cve>
<cve>CVE-2013-6357</cve>
<cve>CVE-2014-0075</cve>
<cve>CVE-2014-0096</cve>
<cve>CVE-2014-0099</cve>
<cve>CVE-2014-0119</cve>
<cve>CVE-2016-5388</cve>
</suppress>
<!--
This should not apply to the project as this package is only used in testing.
-->
<suppress>
<notes>
https://www.cvedetails.com/cve/CVE-2019-15052/
The HTTP client in the Build tool in Gradle before 5.6 sends authentication credentials originally destined for the configured host. If that host returns a 30x redirect, Gradle also sends those credentials to all subsequent hosts that the request redirects to. This is similar to CVE-2018-1000007.
This should not apply to the project as this package is only used in testing.
</notes>
<gav regex="true">^info\.solidsoft\.gradle\.pitest:gradle-pitest-plugin:1\.3\.0$</gav>
<cve>CVE-2019-15052</cve>
<cve>CVE-2019-16370</cve>
</suppress>
<!--
This vulnerability can only be exploited if polymorphic typing is enabled on the default
object mapper, hence not relevant to us.
-->
<suppress>
<notes>suppress false positives - This vulnerability can only be exploited if polymorphic typing
is enabled on the default object mapper, hence not relevant to us.</notes>
<gav regex="true">^com\.fasterxml\.jackson\.core:jackson-databind.*$</gav>
<cve>CVE-2019-16335</cve>
<cve>CVE-2019-14540</cve>
<cve>CVE-2019-16942</cve>
<cve>CVE-2019-16943</cve>
<cve>CVE-2019-17267</cve>
<cve>CVE-2019-17531</cve>
</suppress>
<!--
ONLY UNTIL 2019-10-01. No invulnerable package currently
-->
<suppress>
<notes>
https://www.cvedetails.com/cve/CVE-2019-12384/
FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.
</notes>
<gav regex="true">^com\.fasterxml\.jackson\.core:jackson-databind:2\.9\.9.*$</gav>
<cve>CVE-2019-12384</cve>
<cve>CVE-2019-12814</cve>
<cve>CVE-2019-16942</cve>
<cve>CVE-2019-16943</cve>
</suppress>
<!--
This can be exploited if file upload is used, hence not relevant to us
-->
<suppress>
<notes>
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9484
When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.
</notes>
<gav regex="true">^org\.apache\.tomcat\.embed:tomcat-embed-.+:9\.0\.34.*$</gav>
<cve>CVE-2020-9484</cve>
</suppress>
<!--
This is only valid if we were using WebSockets or HTTP2 h2c
-->
<suppress>
<notes>
hhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13934
An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13935
The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.
</notes>
<gav regex="true">^org\.apache\.tomcat\.embed:tomcat-embed-.+:9\.0\.36.*$</gav>
<cve>CVE-2020-13934</cve>
<cve>CVE-2020-13935</cve>
</suppress>
</suppressions>