forked from codice/alliance
-
Notifications
You must be signed in to change notification settings - Fork 0
/
dependency-check-maven-config.xml
473 lines (473 loc) · 21.4 KB
/
dependency-check-maven-config.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression">
<suppress>
<notes><![CDATA[
CVE-2004-0009 is an issue with Apache not-yet-commons-ssl.
This jar has been stripped from the distribution, the suppression
is to prevent OWASP from complaining.
file name: apache-karaf-4.0.4.zip: org.apache.servicemix.bundles.not-yet-commons-ssl-0.3.11_1.jar]]>
</notes>
<cve>CVE-2004-0009</cve>
</suppress>
<suppress>
<notes><![CDATA[
CVE-2015-5344 is an issue with Camel version before 2.16.1
OWASP appears to have confused the internal proxy-camel-servlet
version with the overall Camel version - marking as false positive.
file name: proxy-camel-servlet-2.11.0-SNAPSHOT.jar]]>
</notes>
<cve>CVE-2015-5344</cve>
</suppress>
<suppress>
<notes><![CDATA[
CVE-2014-1939 is an Android specific issue, and does not apply here
file name: google-http-client-1.22.0.jar]]>
</notes>
<cve>CVE-2014-1939</cve>
</suppress>
<suppress>
<notes><![CDATA[
CVE-2008-0660 is a stack based buffer overflow vulnerability related to ActiveX and
several image uploaders. This is unrelated to presto-parser, so marking as a false
positive.]]>
</notes>
<cve>CVE-2008-0660</cve>
</suppress>
<suppress>
<notes><![CDATA[
CVE-2007-1085 is a cross-site scripting (XSS) vulnerability related to Google Desktop
which does not apply here.]]>
</notes>
<cve>CVE-2007-1085</cve>
</suppress>
<suppress>
<notes><![CDATA[
CVE-2007-3150 is a JavaScript injection vulnerability related to Google Desktop which
does
not apply here.]]>
</notes>
<cve>CVE-2007-3150</cve>
</suppress>
<suppress>
<notes><![CDATA[
CVE-2010-1807 is related to a client side/browser vulnerability in WebKit. Marking the
vulnerability as a false positive since the vulnerable code is not currently used and
the code is executed server-side.]]>
</notes>
<cve>CVE-2010-1807</cve>
</suppress>
<suppress>
<notes><![CDATA[
CVE-2011-2730 is related to a vulnerability in the VMware SpringSource Spring
Framework, where OWASP flags jars that are unrelated or have no dependency on
Spring, so marking it as a false positive.]]>
</notes>
<cve>CVE-2011-2730</cve>
</suppress>
<suppress>
<notes><![CDATA[
CVE-2011-5034: Applies to
org.apache.servicemix.specs.activation-api-1.1-2.5.0.jar/META-INF/maven/org.apache.geronimo.specs/geronimo-activation_1.1_spec/pom.xml
ServiceMix embeds some Specs provided by Geronimo but does not use any of the affected libraries.]]>
</notes>
<cve>CVE-2011-5034</cve>
</suppress>
<suppress>
<notes><![CDATA[
Suppressing vulnerabilities CVE-2013-4271 and CVE-2013-4221 as the offending jar file (org.restlet-2.1.1.jar)
is being manually removed from the Solr War and replaced with the fixed version. These should be removed when
Solr is updated (DDF-1110). See pom file for details.
file name: solr-4.7.2.war: org.restlet-2.1.1.jar]]>
</notes>
<cve>CVE-2013-4221</cve>
</suppress>
<suppress>
<notes><![CDATA[
Suppressing vulnerabilities CVE-2013-4271 and CVE-2013-4221 as the offending jar file (org.restlet-2.1.1.jar)
is being manually removed from the Solr War and replaced with the fixed version. These should be removed when
Solr is updated (DDF-1110). See pom file for details.
file name: solr-4.7.2.war: org.restlet-2.1.1.jar]]>
</notes>
<cve>CVE-2013-4271</cve>
</suppress>
<suppress>
<notes><![CDATA[
OWASP is getting confused by our version number being on a jar with solr in the name we are on
solr 6.0+ which is not affected by this issue.
file name: solr-*.jar]]>
</notes>
<cve>CVE-2012-6612</cve>
</suppress>
<suppress>
<notes><![CDATA[
CVE-2014-0050: Applies to commons-fileupload-1.2.1, suppressing due to replacing jar
when packaging war]]>
</notes>
<cve>CVE-2014-0050</cve>
</suppress>
<suppress>
<notes><![CDATA[
CVE-2016-1000031: Applies to commons-fileupload-1.2.1, suppressing because the
vulnerable class DiskFileItem is not used in the project]]>
</notes>
<cve>CVE-2016-1000031</cve>
</suppress>
<suppress>
<notes><![CDATA[
False positive the affected camel version is 2.12 this uses a later version and does use the XSLT component
file name: proxy-camel-servlet-2.9.0-SNAPSHOT.jar]]>
</notes>
<cve>CVE-2014-0002</cve>
</suppress>
<suppress>
<notes><![CDATA[
False positive the affected camel version is 2.12 this uses a later version and does use the XSLT component
file name: proxy-camel-servlet-2.9.0-SNAPSHOT.jar]]>
</notes>
<cve>CVE-2014-0003</cve>
</suppress>
<suppress>
<notes><![CDATA[
This CVE is generating a lot of false positives it should only include jackson-dataformat-xml jar
but it is catching all jackson dependencies. if we start depending on a vulnerable version
of jackson-dataformat-xml this will still suppress it.]]>
</notes>
<cve>CVE-2016-3720</cve>
</suppress>
<suppress>
<notes><![CDATA[
Shiro-core has a dependency on this but it doesn’t expose commons-beanutils to user input so it
wouldn't pose a risk like the struts library that is called out in the CVE
file name: commons-beanutils-1.8.3.jar]]>
</notes>
<cve>CVE-2014-0114</cve>
</suppress>
<suppress>
<notes><![CDATA[
Reported CVE's are vulnerabilities in earlier versions of FFmpeg
file name: ffmpeg-3.1.1_1-bin.zip: ffmpeg.exe]]>
</notes>
<cpe>cpe:/a:ffmpeg:ffmpeg:-</cpe>
</suppress>
<suppress>
<notes><![CDATA[
False positive CVE is unrelated
file name: platform-filter-delegate-*.jar]]>
</notes>
<cve>CVE-2005-0861</cve>
</suppress>
<suppress>
<notes><![CDATA[
False positive CVE is unrelated
file name: nagasena-0000.0002.0049.0.jar]]>
</notes>
<cve>CVE-2014-9389</cve>
</suppress>
<suppress>
<notes><![CDATA[
False positive CVE is unrelated
file name: org.apache.servicemix.bundles.not-yet-commons-ssl]]>
</notes>
<cve>CVE-2004-0009</cve>
</suppress>
<suppress>
<notes><![CDATA[
The package is not installed by default and is only experimental. These security issues
would need to be resolved before geowebcache can be installed in a secure production
environment. This has been added to documentation.
file name: gwc-web-1.5.0.war: com.noelios.restlet-1.0.8.jar]]>
</notes>
<cve>CVE-2013-4271</cve>
</suppress>
<suppress>
<notes><![CDATA[
The package is not installed by default and is only experimental. These security issues
would need to be resolved before geowebcache can be installed in a secure production
environment. This has been added to documentation.
file name: gwc-web-1.5.0.war: com.noelios.restlet-1.0.8.jar]]>
</notes>
<cve>CVE-2013-4221</cve>
</suppress>
<suppress>
<notes><![CDATA[
The package is not installed by default and is only experimental. These security issues
would need to be resolved before geowebcache can be installed in a secure production
environment. This has been added to documentation.
file name: gwc-web-1.5.0.war: commons-beanutils-1.7.0.jar]]>
</notes>
<cve>CVE-2014-0114</cve>
</suppress>
<suppress>
<notes><![CDATA[
The package is not installed by default and is only experimental. These security issues
would need to be resolved before geowebcache can be installed in a secure production
environment. This has been added to documentation.
file name: gwc-web-1.5.0.war: commons-collections-3.1.jar]]>
</notes>
<cve>CVE-2015-6420</cve>
</suppress>
<suppress>
<notes><![CDATA[
The package is not installed by default and is only experimental. These security issues
would need to be resolved before geowebcache can be installed in a secure production
environment. This has been added to documentation.
file name: gwc-web-1.5.0.war: org.restlet-1.0.8.jar]]>
</notes>
<cve>CVE-2013-4271</cve>
</suppress>
<suppress>
<notes><![CDATA[
The package is not installed by default and is only experimental. These security issues
would need to be resolved before geowebcache can be installed in a secure production
environment. This has been added to documentation.
file name: gwc-web-1.5.0.war: org.restlet-1.0.8.jar]]>
</notes>
<cve>CVE-2013-4221</cve>
</suppress>
<suppress>
<notes><![CDATA[
The package is not installed by default and is only experimental. These security issues
would need to be resolved before geowebcache can be installed in a secure production
environment. This has been added to documentation.
file name: gwc-web-1.5.0.war: postgresql-8.4-701.jdbc3.jar]]>
</notes>
<cve>CVE-2016-0766</cve>
</suppress>
<!-- end of geowebcache vulnerabilities -->
<suppress>
<notes><![CDATA[
This CVE references a problem on 64-bit Linux platforms when embedding
certain versions of google chrome or using certain versions of Google V8. Our codebase does
neither of these things. This is believed to be a false positive from OWASP.]]>
</notes>
<cve>CVE-2012-5120</cve>
</suppress>
<suppress>
<notes><![CDATA[
This CVE references a problem with performing write operations in certain
embedded versions of google chrome or using certain versions of Google V8. Our codebase
does neither of these things. This is believed to be a false positive from OWASP.
file name: catalog-nsili-source-0.2-SNAPSHOT.jar]]>
</notes>
<cve>CVE-2012-5128</cve>
</suppress>
<suppress>
<notes><![CDATA[
This CVE references a problem with buffer overflows in runtime.cc found in
certain versions of google chrome and certain versions of Google V8. Our codebase does
neither of these things. This is believed to be a false positive from OWASP.
file name: catalog-nsili-source-0.2-SNAPSHOT.jar]]>
</notes>
<cve>CVE-2013-6638</cve>
</suppress>
<suppress>
<notes><![CDATA[
This CVE references a problem with the DehoistArrayIndex function performing
out-of-bounds writes in hydrogen-dehoist.cc (aka hydrogen.cc) which is found in certain
versions of google chrome and certain versions of Google V8. Since we do not depend on
these packagaes, this is believed to be a false positive from OWASP.
file name: catalog-nsili-source-0.2-SNAPSHOT.jar]]>
</notes>
<cve>CVE-2013-6639</cve>
</suppress>
<suppress>
<notes><![CDATA[
This CVE references a problem with the DehoistArrayIndex function performing
out-of-bounds reads in hydrogen-dehoist.cc (aka hydrogen.cc) which is found in certain
versions of google chrome and certain versions of Google V8. Since we do not depend on
these packagaes, this is believed to be a false positive from OWASP.
file name: catalog-nsili-source-0.2-SNAPSHOT.jar]]>
</notes>
<cve>CVE-2013-6640</cve>
</suppress>
<suppress>
<notes><![CDATA[
This CVE references a problem with embedding certain versions of google
chrome or using certain versions of Google V8 which may allow attackers to "have impact
via unknown vectors." Our codebase does not embed either package so this is believed to be
a false positive from OWASP.
file name: catalog-nsili-source-0.2-SNAPSHOT.jar]]>
</notes>
<cve>CVE-2013-6668</cve>
</suppress>
<suppress>
<notes><![CDATA[
This CVE references a problem with embedding certain versions of google
chrome or using certain versions of Google V8 which may allow attackers to "have impact
via unknown vectors." Our codebase does not embed either package so this is believed to be
a false positive from OWASP.
file name: catalog-nsili-source-0.2-SNAPSHOT.jar]]>
</notes>
<cve>CVE-2015-2238</cve>
</suppress>
<suppress>
<notes><![CDATA[
This CVE references a problem with embedding certain versions of google
chrome or using certain versions of Google V8 which may allow attackers to "have impact
via unknown vectors." Our codebase does not embed either package so this is believed to be
a false positive from OWASP.
file name: catalog-nsili-source-0.2-SNAPSHOT.jar]]>
</notes>
<cve>CVE-2015-1346</cve>
</suppress>
<suppress>
<notes><![CDATA[
This CVE references a problem with the ReduceTransitionElementsKind function
in hydrogen-elimination.cc which is found in certain versions of google chrome and certain
versions of Google V8. Attackers can use this function to leverage "type confusion."
Since we do not depend on these packages, this is believed to be a false positive from
OWASP.
file name: catalog-nsili-source-0.2-SNAPSHOT.jar]]>
</notes>
<cve>CVE-2015-1242</cve>
</suppress>
<suppress>
<notes><![CDATA[
This CVE references a problem with embedding certain versions of google
chrome or using certain versions of Google V8 which may allow attackers to "have impact
via unknown vectors." Our codebase does not embed either package so this is believed to be
a false positive from OWASP.
file name: catalog-nsili-source-0.2-SNAPSHOT.jar]]>
</notes>
<cve>CVE-2014-7967</cve>
</suppress>
<suppress>
<notes><![CDATA[
This CVE references a problem with embedding certain versions of google
chrome or using certain versions of Google V8 which may allow attackers to "have impact
via unknown vectors." Our codebase does not embed either package so this is believed to be
a false positive from OWASP.
file name: catalog-nsili-source-0.2-SNAPSHOT.jar]]>
</notes>
<cve>CVE-2014-3152</cve>
</suppress>
<suppress>
<notes><![CDATA[
This CVE references a problem with embedding certain versions of google
chrome or using certain versions of Google V8 which may allow attackers to "have impact
via unknown vectors." Our codebase does not embed either package so this is believed to be
a false positive from OWASP.
file name: catalog-nsili-source-0.2-SNAPSHOT.jar]]>
</notes>
<cve>CVE-2015-3333</cve>
</suppress>
<suppress>
<notes><![CDATA[
This CVE references a problem with embedding certain versions of google
chrome or using certain versions of Google V8 which may allow attackers to "have impact
via unknown vectors." Our codebase does not embed either package so this is believed to be
a false positive from OWASP.
file name: catalog-nsili-source-0.2-SNAPSHOT.jar]]>
</notes>
<cve>CVE-2015-3910</cve>
</suppress>
<suppress>
<notes><![CDATA[
This CVE references a problem with the Utf8DecoderBase::WriteUtf16Slow
function in the file unicode-decoder.cc. This file is found in certain versions of Google
V8 and used in Node.js. Using these files may allow attackers to use a crafted byte sequence
and "have impact via unknown vectors." Since we do not depend on these packages, this is
believed to be a false positive from OWASP.
file name: catalog-nsili-source-0.2-SNAPSHOT.jar]]>
</notes>
<cve>CVE-2015-5380</cve>
</suppress>
<suppress>
<notes><![CDATA[
This CVE references a problem with embedding certain versions of google
chrome or using certain versions of Google V8 which may allow attackers to "have impact
via unknown vectors." Our codebase does not embed either package so this is believed to be
a false positive from OWASP.
file name: catalog-nsili-source-0.2-SNAPSHOT.jar]]>
</notes>
<cve>CVE-2015-6580</cve>
</suppress>
<suppress>
<notes><![CDATA[
This CVE references a problem with embedding certain versions of google
chrome or using certain versions of Google V8 which may allow attackers to "have impact
via unknown vectors." Our codebase does not embed either package so this is believed to be
a false positive from OWASP.
file name: catalog-nsili-source-0.2-SNAPSHOT.jar]]>
</notes>
<cve>CVE-2015-7834</cve>
</suppress>
<suppress>
<notes><![CDATA[
This CVE references a problem with embedding certain versions of google
chrome or using certain versions of Google V8 which may allow attackers to "have impact
via unknown vectors." Our codebase does not embed either package so this is believed to be
a false positive from OWASP.
file name: catalog-nsili-source-0.2-SNAPSHOT.jar]]>
</notes>
<cve>CVE-2015-8478</cve>
</suppress>
<suppress>
<notes><![CDATA[
This CVE references a problem with heap-based buffer overflow in
src/jsregexp.cc which is found in certain versions of google chrome and certain versions of
Google V8. Since we do not depend on these packages, this is believed to be a false positive
from OWASP.
file name: catalog-nsili-source-0.2-SNAPSHOT.jar]]>
</notes>
<cve>CVE-2009-2555</cve>
</suppress>
<suppress>
<notes><![CDATA[
This CVE references a problem with embedding certain versions of google
chrome or using certain versions of Google V8 which may allow attackers to "have impact
via unknown vectors." Our codebase does not embed either package so this is believed to be
a false positive from OWASP.
file name: catalog-nsili-source-0.2-SNAPSHOT.jar]]>
</notes>
<cve>CVE-2014-1704</cve>
</suppress>
<suppress>
<notes><![CDATA[
This CVE references a problem with embedding certain versions of google
chrome or using certain versions of Google V8 which may allow attackers to "have impact
via unknown vectors." Our codebase does not embed either package so this is believed to be
a false positive from OWASP.
file name: catalog-nsili-source-0.2-SNAPSHOT.jar]]>
</notes>
<cve>CVE-2015-8548</cve>
</suppress>
<suppress>
<notes><![CDATA[
This CVE references a problem with embedding certain versions of google
chrome or using certain versions of Google V8 which may allow attackers to "have impact
via unknown vectors." Our codebase does not embed either package so this is believed to be
a false positive from OWASP.
file name: catalog-nsili-source-0.2-SNAPSHOT.jar]]>
</notes>
<cve>CVE-2015-8548</cve>
</suppress>
<suppress>
<notes><![CDATA[
This CVE references a problem with deserializing specifically crafted
serialized Java objects when using the Apache Commons Collections library. Although we use
this library, we currently do not allow deserialization of "arbitary, user-supplied Java
serialized data" which this vulnerability depends on.
file name: video-security-0.2-SNAPSHOT.jar]]>
</notes>
<cve>CVE-2015-6420</cve>
</suppress>
<suppress>
<notes><![CDATA[
This CVE references a problem with SQLLoginModule in Apache Geronimo which
allows attackers to bypass authentication via a login attempt with a username not contained
in the database. Since SqlLoginModule is not used by kernel, this is believed to be a false
positive.]]>
</notes>
<cve>CVE-2007-5797</cve>
</suppress>
<suppress>
<notes><![CDATA[
This CVE references a problem in Apache Geronimo Application Server which
allows remote attackers to upload files to arbitrary directories via directory traversal
sequences. Since Apache Geronimo Application Server is not used by kernel, this is believed
to be a false positive.]]>
</notes>
<cve>CVE-2008-5518</cve>
</suppress>
</suppressions>