Add suppressions for unintended CVEs

mullvad · Sep 24, 2024 · 34189cf · 34189cf
1 parent 7561229
commit 34189cf
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 1 deletion.
diff --git a/android/build.gradle.kts b/android/build.gradle.kts
@@ -109,7 +109,11 @@ allprojects {
 
     configure<org.owasp.dependencycheck.gradle.extension.DependencyCheckExtension> {
         failBuildOnCVSS = 0F // All severity levels
-        suppressionFile = "${rootProject.projectDir}/config/dependency-check-suppression.xml"
+        suppressionFiles =
+            listOf(
+                "${rootProject.projectDir}/config/dependency-check-suppression.xml",
+                "${rootProject.projectDir}/config/dependency-check-suppression-agp-fixes.xml",
+            )
     }
 
     configure<com.ncorti.ktfmt.gradle.KtfmtExtension> {

diff --git a/android/config/dependency-check-suppression-agp-fixes.xml b/android/config/dependency-check-suppression-agp-fixes.xml
@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+    <suppress until="2024-12-01Z">
+        <notes><![CDATA[
+        This and all other supressions in this file are for dependencies only used for tests.
+        These should be excluded by the plugin but this behaviour is broken.
+        Added here until we can fix the plugin behaviour.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/io\.netty/.*@.*$</packageUrl>
+        <cve>CVE-2022-41881</cve>
+        <cve>CVE-2023-44487</cve>
+        <cve>CVE-2023-34462</cve>
+        <cve>CVE-2022-24823</cve>
+        <cve>CVE-2024-29025</cve>
+        <cve>CVE-2022-41915</cve>
+    </suppress>
+    <suppress until="2024-12-01Z">
+        <notes><![CDATA[
+        This and all other supressions in this file are for dependencies only used for tests.
+        These should be excluded by the plugin but this behaviour is broken.
+        Added here until we can fix the plugin behaviour.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.google\.protobuf/.*@.*$</packageUrl>
+        <cve>CVE-2024-7254</cve>
+        <cve>CVE-2022-3171</cve>
+        <cve>CVE-2022-3510</cve>
+        <cve>CVE-2021-22569</cve>
+    </suppress>
+    <suppress until="2024-12-01Z">
+        <notes><![CDATA[
+        This and all other supressions in this file are for dependencies only used for tests.
+        These should be excluded by the plugin but this behaviour is broken.
+        Added here until we can fix the plugin behaviour.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com.google.guava/guava@.*$</packageUrl>
+        <cve>CVE-2023-2976</cve>
+        <cve>CVE-2020-8908</cve>
+    </suppress>
+</suppressions>
+