Add suppression for packaged mongo jar (not on classpath) (#651)

openrewrite · Dec 20, 2024 · 64af2b5 · 64af2b5
1 parent 9071a63
commit 64af2b5
Showing 1 changed file with 11 additions and 3 deletions.
diff --git a/suppressions.xml b/suppressions.xml
@@ -2,13 +2,21 @@
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
     <suppress>
         <notes><![CDATA[
-   file name: spring-data-mongodb-2.2.12.RELEASE.jar
-   ]]>
-        These are required to be able to migrate away from the vulnerable dependencies
+        file name: spring-data-mongodb-2.2.12.RELEASE.jar
+        reason: referenced only. Not on the runtime classpath.
+        ]]>
         </notes>
         <packageUrl regex="true">^pkg:maven/org\.springframework\.data/spring-data-mongodb@.*$</packageUrl>
         <cve>CVE-2022-22980</cve>
     </suppress>
+    <suppress>
+        <notes><![CDATA[
+        file name: mongo-java-driver-3.12.14.jar
+        reason: referenced only. Not on the runtime classpath.§
+        ]]></notes>
+        <sha1>850383a126cdc5b363fa9ffc780037f6ebeee704</sha1>
+        <cpe>cpe:/a:mongodb:mongodb</cpe>
+    </suppress>
     <suppress until="2024-11-25Z">
         <notes><![CDATA[
                 file name: rewrite-testing-frameworks-2.20.0-SNAPSHOT.jar: wiremock-jre8-2.35.0.jar: swagger-ui-bundle.js