8000 Add suppression for non-Clojure lib CVE FPs by kelvinqian00 · Pull Request #100 · yetanalytics/xapipe · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Add suppression for non-Clojure lib CVE FPs #100

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Jan 31, 2024
Merged

Add suppression for non-Clojure lib CVE FPs #100

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
e7a0e77
Add suppression for non-Clojure lib CVE FPs
kelvinqian00 Jan 31, 2024
7630b03
Remove core.async suppression
kelvinqian00 Jan 31, 2024
e67f2ba
Remove priority-map suppressions
kelvinqian00 Jan 31, 2024
af14bf6
Remove apache-commons suppression
kelvinqian00 Jan 31, 2024
3fe1292
Remove java-json suppression
kelvinqian00 Jan 31, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 5 additions & 55 deletions .nvd/suppression.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,62 +1,12 @@
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<!-- This CVE is valid for Clojure before 1.8.0, but is a FP for other libs -->
<suppress>
<notes><![CDATA[
file name: core.async-1.5.648.jar
all packages except for org.clojure/clojure
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.clojure/core\.async@.*$</packageUrl>
<cpe>cpe:/a:async_project:async</cpe>
</suppress>
<!-- The next 2 are false positives on clj/cljs priority map -->
<suppress>
<notes><![CDATA[
file name: cljs-priority-map-1.2.1.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/tailrecursion/cljs\-priority\-map@.*$</packageUrl>
<cpe>cpe:/a:priority-software:priority</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: data.priority-map-1.1.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.clojure/data\.priority\-map@.*$</packageUrl>
<cpe>cpe:/a:priority-software:priority</cpe>
</suppress>
<!-- The following FP will be addressed in DependencyCheck v7.4.1 -->
<suppress base="true">
<notes><![CDATA[
FP per issue #5121 - fix for commons
]]></notes>
<packageUrl regex="true">^(?!pkg:maven/commons-net/commons-net).*$</packageUrl>
<cpe>cpe:/a:apache:commons_net</cpe>
</suppress>
<!-- The following are FPs since the CVE affects java-json which is not a dep -->
<suppress>
<notes><![CDATA[
file name: jackson-core-2.14.0-rc1.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-core@.*$</packageUrl>
<cve>CVE-2022-45688</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: jakarta.json-2.0.1.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.glassfish/jakarta\.json@.*$</packageUrl>
<cve>CVE-2022-45688</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: javax.json-1.0.4.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.glassfish/javax\.json@.*$</packageUrl>
<cve>CVE-2022-45688</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: jsonld-java-0.13.4.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.github\.jsonld\-java/jsonld\-java@.*$</packageUrl>
<cve>CVE-2022-45688</cve>
<packageUrl regex="true">^pkg:maven\/(?!org\.clojure\/clojure).*$</packageUrl>
<cpe>cpe:/a:clojure:clojure</cpe>
<cve>CVE-2017-20189</cve>
</suppress>
</suppressions>
0