odlparent-dependency-check/owasp-suppressions.xml

   1 <?xml version="1.0" encoding="UTF-8"?>
   2 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
   3     <suppress>
   4         <!-- json isn’t affected by CVE-2008-0732 which is a SUSE-specific init script bug -->
   5         <notes><![CDATA[
   6    file name: json-20090211_1.jar
   7    ]]></notes>
   8         <gav regex="true">^org\.apache\.geronimo\.bundles:json:.*$</gav>
   9         <cve>CVE-2008-0732</cve>
  10     </suppress>
  11     <suppress>
  12         <!-- This isn’t git -->
  13         <gav regex="true">^org\.eclipse\.persistence:org\.eclipse\.persistence\..*$</gav>
  14         <cpe>cpe:/a:git:git</cpe>
  15     </suppress>
  16     <suppress>
  17         <!-- We’ve fixed CVE-2015-1778 -->
  18         <gav regex="true">^org\.opendaylight\..*$</gav>
  19         <cve>CVE-2015-1778</cve>
  20     </suppress>
  21     <suppress>
  22         <!-- RC4... -->
  23         <notes><![CDATA[
  24    file name: jaxb-api-2.2.2.jar
  25    ]]></notes>
  26         <gav regex="true">^javax\.xml\.bind:jaxb-api:.*$</gav>
  27         <cpe>cpe:/a:oracle:glassfish</cpe>
  28     </suppress>
  29     <suppress>
  30         <!-- Fixed after Pax 20140703 -->
  31         <gav regex="true">^org\.ops4j\.pax\..*$</gav>
  32         <cve>CVE-2015-1193</cve>
  33     </suppress>
  34     <suppress>
  35         <!-- Fixed after Pax 20140703 -->
  36         <gav regex="true">^org\.ops4j\.pax\..*$</gav>
  37         <cve>CVE-2015-1194</cve>
  38     </suppress>
  39     <suppress>
  40         <!-- 9.2.22 fixes CVE-2017-9735 -->
  41         <gav regex="true">^org\.eclipse\.jetty:.*$</gav>
  42         <cve>CVE-2017-9735</cve>
  43     </suppress>
  44 </suppressions>