suppressions.xml

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
    <suppress>
        <notes><![CDATA[
        files: spring-aop.jar, spring-beans.jar, spring-context.jar, spring-core.jar, spring-jcl.jar, spring-messaging.jar, spring-web.jar, spring-webflux.jar, spring-context-support.jar, spring-jdbc.jar, spring-webmvc.jar, spring-websocket.jar
        sev: CRITICAL
        CVE-2016-1000027
        False positive. Affects Spring 5.3.16 up to 6.0 exposed HTTP Invoker endpoints to untrusted clients.  We're not using HttpInvokerServiceExporter and do not have any exposed HTTP Invoker endpoints.
     ]]></notes>
        <gav regex="true">org\.springframework:spring.*</gav>
        <cve>CVE-2016-1000027</cve>
    </suppress>
    <suppress>
        <notes><![CDATA[
        file name: spring-security-crypto-5.7.1.jar
        sev: MEDIUM
        False positive. Affects Spring Security Crypto versions Prior to these 5.3.2, 5.2.4, 5.1.10, 5.0.16 and 4.2.16
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-crypto@.*$</packageUrl>
        <vulnerabilityName>CVE-2020-5408</vulnerabilityName>
    </suppress>
    <suppress>
        <notes><![CDATA[
   false positive -
   @see https://github.com/jeremylong/DependencyCheck/issues/4675
   file name: jakarta.servlet-api-4.0.4.jar
   ]]></notes>
        <cve>CVE-2022-31569</cve>
    </suppress>
    <suppress>
        <notes><![CDATA[
   file name: spring-data-mongodb-2.2.12.RELEASE.jar
   ]]>
            comming in via rewrite-spring.
            required to be able to migrate away from the vulnerable dependencies
        </notes>
        <packageUrl regex="true">^pkg:maven/org\.springframework\.data/spring-data-mongodb@.*$</packageUrl>
        <cve>CVE-2022-22980</cve>
    </suppress>
    <suppress until="2024-11-25Z">
        <notes><![CDATA[
            file name: rewrite-testing-frameworks-2.20.0-SNAPSHOT.jar: wiremock-jre8-2.35.0.jar: swagger-ui-bundle.js
            false positive: js library that is shipped as part of this jar
        ]]></notes>
        <packageUrl regex="true">^pkg:javascript/DOMPurify@.*$</packageUrl>
        <vulnerabilityName>CVE-2024-45801</vulnerabilityName>
    </suppress>
</suppressions>