-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathowasp-false-positive-warnings.xml
124 lines (122 loc) · 5.93 KB
/
owasp-false-positive-warnings.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd"
xsi:schemaLocation="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd
https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress>
<notes><![CDATA[
file name: spring-security-crypto-5.8.*.jar
The data serialized by the application is trusted
NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-crypto@.*$</packageUrl>
<vulnerabilityName>CVE-2020-5408</vulnerabilityName>
<cve>CVE-2018-1258</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: spring-*-5.3.39.jar
CVE-2024-38820 - DataBinder is used to bind request parameters to JavaBean objects. The vulnerability is not exploitable by SMP usage of the library.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework/spring-.*?@.*$</packageUrl>
<cve>CVE-2024-38820</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: spring-web-5.3.*.jar
CVE-2016-1000027 - The data serialized by the application are from authenticated users and trusted
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework/spring\-(web|core)@.*$</packageUrl>
<cve>CVE-2016-1000027</cve>
<cve>CVE-2018-1258</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: smp.war: spring-core-5.3.31.jar
The data serialized by the application are from authenticated users and trusted
NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
- CVE-2024-38820: see below the spring-*-5.3.39.jar for the same issue explanation
]]></notes>
<cve>CVE-2016-1000027</cve>
<cve>CVE-2024-38820</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: smp.war: spring-security-*.jar
]]></notes>
<cve>CVE-2018-1258</cve>
</suppress>
<suppress>
<notes><![CDATA[
CVE-2020-8908 - we don't use com.google.common.io.Files.createTempDir()
CVE-2023-2976 - we don't use FileBackedOutputStream
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
<vulnerabilityName>CVE-2020-8908</vulnerabilityName>
<vulnerabilityName>CVE-2023-2976</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
file name: snakeyaml-1.30.jar
The vulnerability is not impacting smp.war,
because is part of spring boot - intended only for demo and testing. Also Yaml configuration is not exposed
to external users.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
<cve>CVE-2022-1471</cve>
<cve>CVE-2022-25857</cve>
<cve>CVE-2022-38749</cve>
<cve>CVE-2022-38751</cve>
<cve>CVE-2022-38752</cve>
<cve>CVE-2022-41854</cve>
<cve>CVE-2022-38750</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: jackson-databind-2.15.2.jar
The vulnerability is not exploitable by SMP usage of the library.
NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing
a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
<cve>CVE-2023-35116</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: tomcat-embed-websocket-9.0.x.jar
The vulnerability is not impacting smp.war,
because is part of spring boot - intended only for demo and testing.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.tomcat\.embed/tomcat\-embed\-websocket@.*$</packageUrl>
<cve>CVE-2023-41080</cve>
</suppress>
<suppress>
<notes><![CDATA[
File name: joda-time-2.x
This is transitive library of the 2WaySec, WSS4J 2.4.x: Check if this is needed when using WSS4J is upgrades
and is not directly used by the 2waySSL library.
NOTE: Currently the latest version 2.12.7 still report the same issue.
This is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability.
]]></notes>
<packageUrl regex="true">^pkg:maven/joda\-time/joda\-time@.*$</packageUrl>
<vulnerabilityName>CVE-2024-23080</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
file name: protobuf-java-3.25.1.jar
This is the transitive library of the mysql-connector-j:jar:8.4.0: Check if this is needed when using Mysql-connector-java is upgrades.
The is added only for the spring boot demo module which is used only for the Demo and testing. Final smp.war artefact does not include this library.
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.google\.protobuf/protobuf-java@.*$</packageUrl>
<vulnerabilityName>CVE-2024-7254</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
file name: spring-webmvc-5.3.39.jar
The vulnerability is not exploitable by SMP usage of the library.
The application does not serve static resources through the functional web frameworks WebMvc.fn or WebFlux.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework/spring-webmvc@.*$</packageUrl>
<vulnerabilityName>CVE-2024-38816</vulnerabilityName>
</suppress>
</suppressions>