-
Notifications
You must be signed in to change notification settings - Fork 93
/
dependencyCheckSuppressions.xml
119 lines (110 loc) · 4.65 KB
/
dependencyCheckSuppressions.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<!-- You can add <suppress>...</suppress> entries in here. -->
<!-- Ignore CVE-2020-8908: Used by exoplayer, but vulnerable code (createTempDir)
is not used. -->
<suppress>
<notes><![CDATA[
file name: guava-27.1-android.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
<cve>CVE-2020-8908</cve>
</suppress>
<!-- Ignore CVE-2021-29425: Vulnerable code (FileNameUtils.normalize) not used. -->
<suppress>
<notes><![CDATA[
file name: commons-io-2.6.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/commons\-io/commons\-io@.*$</packageUrl>
<cve>CVE-2021-29425</cve>
</suppress>
<!-- Ignore CVE-2018-20200: It requires hooking into the running application, CVE is disputed.
https://github.com/square/okhttp/issues/4967 -->
<suppress>
<notes><![CDATA[
file name: okhttp-3.12.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.squareup\.okhttp3/okhttp@.*$</packageUrl>
<cve>CVE-2018-20200</cve>
</suppress>
<!-- Ignore CVEs against netty <4.1.44, even though at the time of this writing, only 4.1.72+
is being used. -->
<suppress>
<notes><![CDATA[
file name: core-0.0.8-alpha08.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.google\.testing\.platform/core@.*$</packageUrl>
<cve>CVE-2019-20444</cve>
</suppress>
<!-- Ignore CVE-2023-2976 against guava. Seems to affect only Android ICS as well as
potentially developers' machines (which isn't really a realistic threat scenario here). -->
<suppress>
<notes><![CDATA[
file name: guava-31.1-jre.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
<cve>CVE-2023-2976</cve>
</suppress>
<!-- Ignore CVE-2023-32697. The issue here is that RCE is possible through an SQLite JDBC URL.
Since databases are hardcoded in the Android app, and JDBC URLs (or parts used in the URL)
are not user-supplied, this shouldn't affect us. -->
<suppress>
<notes><![CDATA[
file name: sqlite-jdbc-3.36.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.xerial/sqlite\-jdbc@.*$</packageUrl>
<cve>CVE-2023-32697</cve>
</suppress>
<!-- Ignore wrong matches. -->
<suppress>
<packageUrl regex="true">^pkg:maven/org\.saltyrtc/saltyrtc\-task\-webrtc@.*$</packageUrl>
<cpe>cpe:/a:webrtc_project:webrtc</cpe>
</suppress>
<suppress>
<packageUrl regex="true">^pkg:maven/org\.saltyrtc/saltyrtc\-task\-webrtc@.*$</packageUrl>
<cpe>cpe:/a:tasks:tasks</cpe>
</suppress>
<suppress>
<packageUrl regex="true">^pkg:maven/com\.huawei\.hmf/tasks@.*$</packageUrl>
<cpe>cpe:/a:tasks:tasks</cpe>
</suppress>
<suppress>
<packageUrl regex="true">^pkg:maven/org\.jetbrains\.kotlin/kotlin\-stdlib@.*$</packageUrl>
<cpe>cpe:/a:jetbrains:kotlin</cpe>
</suppress>
<suppress>
<packageUrl regex="true">^pkg:maven/org\.jetbrains\.kotlin/kotlin\-stdlib\-common@.*$</packageUrl>
<cpe>cpe:/a:jetbrains:kotlin</cpe>
</suppress>
<suppress>
<packageUrl regex="true">^pkg:maven/com\.google\.devtools\.ksp/symbol\-processing\-api@.*$</packageUrl>
<cpe>cpe:/a:processing:processing</cpe>
</suppress>
<suppress>
<packageUrl regex="true">^pkg:maven/androidx\.room/room\-compiler\-processing@.*$</packageUrl>
<cpe>cpe:/a:processing:processing</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: core-0.0.8-alpha08.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.google\.testing\.platform/core@.*$</packageUrl>
<cpe>cpe:/a:netty:netty</cpe>
</suppress>
<!-- Ignore CVE-2014-9152. The cve relates to drupal which is irrelevant for an android app -->
<suppress>
<notes><![CDATA[
file name: storage-1.4.2.aar
]]></notes>
<packageUrl regex="true">^pkg:maven/androidx\.test\.services/storage@.*$</packageUrl>
<cpe>cpe:/a:services_project:services</cpe>
</suppress>
<!-- Ignore CVE-2015-3362. The cve relates to drupal which is irrelevant for an android app -->
<suppress>
<notes><![CDATA[
file name: camera-video-1.3.2.aar
]]></notes>
<packageUrl regex="true">^pkg:maven/androidx\.camera/camera\-video@.*$</packageUrl>
<cpe>cpe:/a:video_project:video</cpe>
</suppress>
</suppressions>