Skip to content

Commit

Permalink
Feature: Update libs (#59)
Browse files Browse the repository at this point in the history 
* updating siv-mode and bouncycastle
* cleanup cve suppression list
  • Loading branch information
@infeo
infeo authored Apr 16, 2024
1 parent 9ae2f62 commit b538d03
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 39 deletions.
6 changes: 3 additions & 3 deletions pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,8 @@
<!-- dependencies -->
<gson.version>2.10.1</gson.version>
<guava.version>33.1.0-jre</guava.version>
<siv-mode.version>1.5.0</siv-mode.version>
<bouncycastle.version>1.70</bouncycastle.version>
<siv-mode.version>1.5.2</siv-mode.version>
<bouncycastle.version>1.78</bouncycastle.version>
<slf4j.version>2.0.12</slf4j.version>

<!-- test dependencies -->
Expand Down Expand Up @@ -63,7 +63,7 @@

<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-jdk15on</artifactId>
<artifactId>bcpkix-jdk18on</artifactId>
<version>${bouncycastle.version}</version>
<!-- see maven-shade-plugin; we don't want this as a transitive dependency in other projects -->
<optional>true</optional>
Expand Down
42 changes: 6 additions & 36 deletions suppression.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,51 +3,21 @@
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress>
<notes><![CDATA[
Incorrectly matched CPE
]]></notes>
Incorrectly matched CPE
]]>
</notes>
<gav regex="true">org\.cryptomator:.*</gav>
<cpe>cpe:/a:cryptomator:cryptomator</cpe>
<cve>CVE-2022-25366</cve>
</suppress>

<suppress>
<notes><![CDATA[
Suppress false positive, because com.google.common.io.Files.getTempDir() is not used
]]></notes>
Suppress false positive, because com.google.common.io.Files.getTempDir() is not used
]]>
</notes>
<packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
<vulnerabilityName>CVE-2020-8908</vulnerabilityName>
<cve>CVE-2020-8908</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: bcutil-jdk15on-1.70.jar
reason: vulnerable PEMParser not used.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.bouncycastle/bcutil\-jdk15on@.*$</packageUrl>
<cve>CVE-2023-33202</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: bcpkix-jdk15on-1.70.jar
reason: vulnerable PEMParser not used.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.bouncycastle/bcpkix\-jdk15on@.*$</packageUrl>
<cve>CVE-2023-33202</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: bcprov-jdk15on-1.70.jar
reason: vulnerable PEMParser not used.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.bouncycastle/bcprov\-jdk15on@.*$</packageUrl>
<cve>CVE-2023-33202</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: bcprov-jdk15on-1.70.jar
reason: Library does not use LDAP CertStore from Bouncy Castle to validate X.509 certificates
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.bouncycastle/bcprov\-jdk15on@.*$</packageUrl>
<vulnerabilityName>CVE-2023-33201</vulnerabilityName>
</suppress>
</suppressions>

0 comments on commit b538d03

Please sign in to comment.