False positive for CVE-2024-35255 - fixed in the latest SDK version f…

…rom MS but still being flagged
finos · Jul 1, 2024 · 45ad02a · 45ad02a
1 parent f90eed2
commit 45ad02a
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/dev/compliance/owasp-false-positives.xml b/dev/compliance/owasp-false-positives.xml
@@ -280,4 +280,24 @@
         <vulnerabilityName>CVE-2024-23081</vulnerabilityName>
     </suppress>
 
+
+    <!-- This is an issue in the Azure cloud stack for auth / identity -->
+    <!-- It is fixed in the latest SDK version according to MS, but still being flagged -->
+    <!-- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255 -->
+
+    <suppress>
+        <packageUrl regex="true">^pkg:maven/com\.azure/azure\-identity@.*$</packageUrl>
+        <cve>CVE-2024-35255</cve>
+    </suppress>
+
+    <suppress>
+        <packageUrl regex="true">^pkg:maven/com\.microsoft\.azure/msal4j@.*$</packageUrl>
+        <cve>CVE-2024-35255</cve>
+    </suppress>
+
+    <suppress>
+        <packageUrl regex="true">^pkg:maven/com\.microsoft\.azure/msal4j\-persistence\-extension@.*$</packageUrl>
+        <cve>CVE-2024-35255</cve>
+    </suppress>
+
 </suppressions>