<?xml version="1.0" encoding="UTF-8"?> <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd"> <!-- Wrong GAV detection --> <suppress> <notes><![CDATA[file name: scim-server-*.jar]]></notes> <gav regex="true">^org\.apache\.directory\.scim:.*$</gav> <cpe>cpe:/a:apache:apache_http_server</cpe> </suppress> <suppress> <notes><![CDATA[file name: scim-server-*.jar]]></notes> <gav regex="true">^org\.apache\.directory\.scim:.*$</gav> <cpe>cpe:/a:apache:http_server</cpe> </suppress> <suppress> <notes><![CDATA[ Weld contains META-INF/client/probe.js which includes old versions of bootstrap and JQuery Weld is only used in an example, and the JS client is not used file name: weld-probe-core-4.0.3.Final.jar: probe.js]]></notes> <packageUrl regex="true">^pkg:javascript/bootstrap@.*$</packageUrl> <cve>CVE-2017-18214</cve> <cve>CVE-2022-24785</cve> <cve>CVE-2015-9251</cve> <cve>CVE-2016-10735</cve> <cve>CVE-2018-14040</cve> <cve>CVE-2018-14041</cve> <cve>CVE-2018-14042</cve> <cve>CVE-2019-11358</cve> <cve>CVE-2019-8331</cve> <cve>CVE-2020-11022</cve> <cve>CVE-2020-11023</cve> <vulnerabilityName>Regular Expression Denial of Service (ReDoS)</vulnerabilityName> <vulnerabilityName>reDOS - regular expression denial of service</vulnerabilityName> </suppress> <suppress> <notes><![CDATA[ False positive: wrong GAV fan_platform is a python project file name: junit-platform-engine-1.8.2.jar]]></notes> <cpe>cpe:/a:fan_platform_project:fan_platform</cpe> </suppress> <suppress> <notes><![CDATA[ file name: commons-codec-1.15.jar ]]></notes> <packageUrl regex="true">^pkg:maven/commons\-codec/commons\-codec@.*$</packageUrl> <cpe>cpe:/a:apache:commons_net</cpe> </suppress> <suppress> <notes><![CDATA[ file name: commons-logging-1.2.jar ]]></notes> <packageUrl regex="true">^pkg:maven/commons\-logging/commons\-logging@.*$</packageUrl> <cpe>cpe:/a:apache:commons_net</cpe> </suppress> <suppress> <notes><![CDATA[ file name: jcl-over-slf4j-1.7.36.jar ]]></notes> <packageUrl regex="true">^pkg:maven/org\.slf4j/jcl\-over\-slf4j@.*$</packageUrl> <cpe>cpe:/a:apache:commons_net</cpe> </suppress> <suppress> <notes><![CDATA[ file name: snakeyaml-1.33.jar Snakeyaml is a transitive dependency, the mitigation for this vuln is to use a different constructor. ]]></notes> <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl> <vulnerabilityName>CVE-2022-1471</vulnerabilityName> </suppress> </suppressions>