.dependency-check-suppressions.xml

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
   <suppress>
      <notes><![CDATA[
      Ignore Openfire for the search jar, else dependency-check picks up every Openfire CVE since Openfire v1.7.2
        file name: search.jar: search-1.7.2.jar
   ]]>      </notes>
      <packageUrl regex="true">^pkg:maven/org\.igniterealtime\.openfire\.plugins/search@.*$</packageUrl>
      <cpe>cpe:/a:igniterealtime:openfire</cpe>
   </suppress>
   <suppress>
      <notes><![CDATA[
      Ignore Openfire for the search jar, else dependency-check picks up every Openfire CVE since Openfire v1.7.2
   file name: search.jar: search-1.7.2.jar
   ]]>      </notes>
      <packageUrl regex="true">^pkg:maven/org\.igniterealtime\.openfire\.plugins/search@.*$</packageUrl>
      <cpe>cpe:/a:ignite_realtime:openfire</cpe>
   </suppress>
   <suppress>
      <notes><![CDATA[
      Ignore tag_project:tag - it's an MP3 tagging tool, and nothing to do with Apache Taglibs.
   file name: taglibs-standard-impl-1.2.5.jar
   ]]>      </notes>
      <packageUrl regex="true">^pkg:maven/org\.apache\.taglibs/taglibs\-standard\-impl@.*$</packageUrl>
      <cpe>cpe:/a:tag_project:tag</cpe>
   </suppress>
    <suppress>
        <notes><![CDATA[
       Ignore an old CVE related to permissions when calling com.google.common.io.Files.createTempDir - we don't use this method
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
        <vulnerabilityName>CVE-2020-8908</vulnerabilityName>
    </suppress>
    <suppress>
        <notes><![CDATA[
        Ignore a CVE related only to Jetty's CGI servlet, which isn't used in Openfire.
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty/jetty\-servlets@.*$</packageUrl>
        <vulnerabilityName>CVE-2023-36479</vulnerabilityName>
    </suppress>
    <suppress>
        <notes><![CDATA[
        Ignore a withdrawn CVE (see https://github.com/joker-xiaoyan/XXE-SAXReader/issues/1 and https://github.com/dom4j/dom4j/issues/171#issuecomment-1781547256)
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.dom4j/dom4j@.*$</packageUrl>
        <cve>CVE-2023-45960</cve>
    </suppress>
    <suppress>
        <notes><![CDATA[
        Suppress eclipse:jetty issues for jetty-servlet-api@4.0.x since it's incorrectly pulling in all Jetty issues after Jetty v4, whereas jetty-servlet-api v4 is included in Jetty v10.
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty\.toolchain/jetty\-servlet\-api@4\.0\..*$</packageUrl>
        <cpe>cpe:/a:eclipse:jetty</cpe>
    </suppress>
    <suppress>
        <notes><![CDATA[
        Suppress jetty:jetty issues for jetty-servlet-api@4.0.x since it's incorrectly pulling in all Jetty issues after Jetty v4, whereas jetty-servlet-api v4 is included in Jetty v10.
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty\.toolchain/jetty\-servlet\-api@4\.0\..*$</packageUrl>
        <cpe>cpe:/a:jetty:jetty</cpe>
    </suppress>
    <suppress>
        <notes><![CDATA[
        Ignore CVE about Netty defaults for hostname validation, since Openfire implements its own configurable hostname validation.
   ]]></notes>
        <cve>CVE-2023-4586</cve>
    </suppress>
    <suppress>
        <notes><![CDATA[
        Ignore a CVE regarding Tomcat clustering, which isn't used in Openfire.
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.mortbay\.jasper/apache\-jsp@.*$</packageUrl>
        <cve>CVE-2022-29885</cve>
    </suppress>
    <suppress>
        <notes><![CDATA[
        Rapid Reset was fixed in Jetty 10.0.18, which brings in this dependency.
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.mortbay\.jasper/apache\-jsp@.*$</packageUrl>
        <cve>CVE-2023-44487</cve>
    </suppress>
    <suppress>
        <notes><![CDATA[
        Openfire doesn't persist sessions via Tomcat FileStore (or anything else, beyond preferences)
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.mortbay\.jasper/apache\-jsp@.*$</packageUrl>
        <cve>CVE-2022-23181</cve>
    </suppress>
    <suppress>
        <notes><![CDATA[
        Openfire doesn't make use of the example webapp in Tomcat
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.mortbay\.jasper/apache\-jsp@.*$</packageUrl>
        <cve>CVE-2022-34305</cve>
    </suppress>
    <suppress>
        <notes><![CDATA[
        Openfire doesn't use the ROOT webapp. Additional testing on 2023-11-13 against 7a53b23e565cdf06a541af82560a6c49d6c9d2ae.
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.mortbay\.jasper/apache\-jsp@.*$</packageUrl>
        <cve>CVE-2023-41080</cve>
    </suppress>
</suppressions>