-
-
Notifications
You must be signed in to change notification settings - Fork 113
/
Copy path.nvd-suppressions.xml
57 lines (48 loc) · 1.97 KB
/
.nvd-suppressions.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress>
<notes><![CDATA[
file name: jackson-databind-2.15.2.jar
This is only triggered if you feed jackson circular input. See
https://github.com/FasterXML/jackson-databind/issues/3972.
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
<cve>CVE-2023-35116</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: snakeyaml-1.33.jar
This only impacts deserialization, and we only serialize yaml. We would have
to upgrade to SnakeYAML 2.0 to address this, and we use SnakeYAML via
ring-middleware-format, which does not support v2.0.
See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in
for a discussion of the CVE.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
<cve>CVE-2022-1471</cve>
</suppress>
<suppress>
<notes><![CDATA[
This CVE only impacts programs using Clojure < 1.9.0, and gets reported for any jar
that has a lower Clojure in its pom, even if the project being checked is using a
newer Clojure (as we are).
]]></notes>
<cve>CVE-2017-20189</cve>
</suppress>
<suppress>
<notes><![CDATA[
This CVE only impacts usage of Jetty's HttpURI directly, and we don't use it. We can't
upgrade to get rid of this CVE as it requires upgrading to Jetty 12, which ring does not
yet support (we are are 11 currently).
]]></notes>
<cve>CVE-2024-6763</cve>
</suppress>
<suppress>
<notes><![CDATA[
This CVE only impacts projects using http replication, which we don't do. We can't
upgrade to get rid of this CVE without rebuilding our indexing code, as it requires
upgrading to Lucene 9 (we are on 8 currently).
]]></notes>
<cve>CVE-2024-45772</cve>
</suppress>
</suppressions>