dependencyCheckSuppression.xml

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">

    <!-- Prevent match against unrelated "rengine" at https://github.com/yogeshojha/rengine -->
    <suppress>
        <notes><![CDATA[
      file name: rengine-0.6-8.1.jar
      ]]></notes>
        <packageUrl regex="true">^pkg:maven/net\.rforge/rengine@.*$</packageUrl>
        <cve>CVE-2022-1813</cve>
        <cve>CVE-2021-39491</cve>
    </suppress>
    <suppress>
        <notes><![CDATA[
   file name: rserve-0.6-8.1.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/net\.rforge/rserve@.*$</packageUrl>
        <cve>CVE-2022-1813</cve>
        <cve>CVE-2021-39491</cve>
    </suppress>

    <!--
    GWT uses Protobuf internally but doesn't expose it, meaning the handful of CVEs in 2.5.0 are not a concern.
    https://github.com/gwtproject/gwt/issues/9778
    -->
    <suppress>
        <notes><![CDATA[
   file name: gwt-servlet-2.10.0.jar (shaded: com.google.protobuf:protobuf-java:2.5.0)
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/com\.google\.protobuf/protobuf\-java@.*$</packageUrl>
        <cpe>cpe:/a:google:protobuf-java</cpe>
        <vulnerabilityName>CVE-2022-3509</vulnerabilityName>
        <vulnerabilityName>CVE-2021-22569</vulnerabilityName>
    </suppress>

    <suppress>
        <notes><![CDATA[
   file name: gwt-servlet-jakarta-2.11.0.jar (shaded: com.google.protobuf:protobuf-java:2.5.0)
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/com\.google\.protobuf/protobuf\-java@.*$</packageUrl>
        <cpe>cpe:/a:google:protobuf-java</cpe>
        <vulnerabilityName>CVE-2024-7254</vulnerabilityName>
    </suppress>

    <!-- Tangled CVEs. See https://github.com/jeremylong/DependencyCheck/issues/4614 and https://github.com/OSSIndex/vulns/issues/316 -->
    <suppress>
        <notes><![CDATA[
   file name: xercesImpl-2.12.2.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/xerces/xercesImpl@.*$</packageUrl>
        <vulnerabilityName>CVE-2017-10355</vulnerabilityName>
    </suppress>

    <!--
    For our purposes, Random is good enough, and not worth publishing our own version of the artifact that uses
    SecureRandom. https://github.com/penggle/kaptcha/issues/3
    -->
    <suppress>
        <notes><![CDATA[
   file name: kaptcha-2.3.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/com\.google\.code\.kaptcha/kaptcha@.*$</packageUrl>
        <cve>CVE-2018-18531</cve>
    </suppress>

    <!-- False positive - we're not bundling Struts as part of Mule -->
    <suppress>
        <notes><![CDATA[
   file name: mule-module-builders-1.4.4e.jar (shaded: org.mule.modules:mule-module-ognl:1.4.4)
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.mule\.modules/mule\-module\-ognl@.*$</packageUrl>
        <cve>CVE-2016-3093</cve>
    </suppress>

    <!-- False positive - we're not bundling Windows PGP -->
    <suppress>
        <notes><![CDATA[
   file name: mule-module-builders-1.4.4e.jar (shaded: org.mule.modules:mule-module-pgp:1.4.4)
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.mule\.modules/mule\-module\-pgp@.*$</packageUrl>
        <cve>CVE-2001-0265</cve>
    </suppress>

    <!-- No WebSockets for Mule, so no risk -->
    <suppress>
        <notes><![CDATA[
   file name: mule-module-builders-1.4.4e.jar (shaded: org.mule.modules:mule-module-wssecurity:1.4.4)
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.mule\.modules/mule\-module\-wssecurity@.*$</packageUrl>
        <cve>CVE-2021-4236</cve>
    </suppress>

    <!-- No FTP for Mule, so no risk -->
    <suppress>
        <notes><![CDATA[
   file name: mule-module-builders-1.4.4e.jar (shaded: org.mule.transports:mule-transport-ftp:1.4.4)
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.mule\.transports/mule\-transport\-ftp@.*$</packageUrl>
        <cve>CVE-2023-22551</cve>
    </suppress>

    <!-- False positive - different XFire, and we're certainly not opening UDP port 25777 -->
    <suppress>
        <notes><![CDATA[
   file name: mule-module-builders-1.4.4e.jar (shaded: org.mule.transports:mule-transport-xfire:1.4.4)
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.mule\.transports/mule\-transport\-xfire@.*$</packageUrl>
        <cve>CVE-2006-5391</cve>
    </suppress>

    <!--
    This is a dependency of Java-FPDF, used by the WNPRC billing module for PDF generation, which hasn't been updated
    to reference the now-renamed Commons Imaging library instead of the old Sanselan incubator. The CVE is related
    to file parsing, not generation so we're not vulnerable
    -->
    <suppress>
        <notes><![CDATA[
   file name: sanselan-0.97-incubator.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.sanselan/sanselan@.*$</packageUrl>
        <vulnerabilityName>CVE-2018-17201</vulnerabilityName>
    </suppress>

    <suppress>
        <notes><![CDATA[
   file name: jackson-databind-2.15.2.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
        <vulnerabilityName>CVE-2023-35116</vulnerabilityName>
    </suppress>

    <!--
    GraalJS shaded and re-versioned icu4j without changing the file name, leading to many old CVEs getting tagged.
    This should be fixed soon, but suppress all CVEs for now. https://github.com/oracle/graal/issues/8204
    -->
    <suppress>
        <notes><![CDATA[
   file name: icu4j-23.1.2.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.graalvm\.shadowed/icu4j@.*$</packageUrl>
        <cpe>cpe:/a:icu-project:international_components_for_unicode</cpe>
        <cpe>cpe:/a:unicode:international_components_for_unicode</cpe>
        <cpe>cpe:/a:unicode:unicode</cpe>
    </suppress>

    <!--
    The Tomcat jaspic-api and jsp-api jars are false positives, for some reason matching against Tomcat 3.0. See
    https://github.com/jeremylong/DependencyCheck/issues/5659, which has been raised, but no response.
    -->
    <suppress>
        <notes><![CDATA[
   file name: tomcat-jaspic-api-10.1.18.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.tomcat/tomcat\-jaspic\-api@.*$</packageUrl>
        <cpe>cpe:/a:apache:tomcat</cpe>
    </suppress>

    <suppress>
        <notes><![CDATA[
   file name: tomcat-jsp-api-10.1.18.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.tomcat/tomcat\-jsp\-api@.*$</packageUrl>
        <cpe>cpe:/a:apache:tomcat</cpe>
    </suppress>

    <!--
    suppress CVE-2024-23080 after jodaTime upgrade to 2.12.7, as still detected as 2.12.5
    -->
    <suppress>
        <notes><![CDATA[
   file name: joda-time-2.12.7.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/joda\-time/joda\-time@.*$</packageUrl>
        <vulnerabilityName>CVE-2024-23080</vulnerabilityName>
    </suppress>

    <!--
    suppress CVE-2024-23080 after jodaTime upgrade to 2.12.7, as still detected as 2.12.5
    -->
    <suppress>
        <notes><![CDATA[
   file name: joda-time-2.12.7.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/joda\-time/joda\-time@.*$</packageUrl>
        <vulnerabilityName>CVE-2024-23080</vulnerabilityName>
    </suppress>

    <!--
    suppress CVE-2024-22949 for jfreechart, may become moot after subsequent upgrades
    -->
    <suppress>
        <notes><![CDATA[
   file name: jfreechart-1.0.19.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.jfree/jfreechart@.*$</packageUrl>
        <vulnerabilityName>CVE-2024-22949</vulnerabilityName>
    </suppress>

    <!--
    suppress CVE-2023-52070 for jfreechart, may become moot after subsequent upgrades
    -->
    <suppress>
        <notes><![CDATA[
   file name: jfreechart-1.0.19.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.jfree/jfreechart@.*$</packageUrl>
        <vulnerabilityName>CVE-2023-52070</vulnerabilityName>
    </suppress>

    <!--
    suppress CVE-2024-23076 for jfreechart, may become moot after subsequent upgrades
    -->
    <suppress>
        <notes><![CDATA[
   file name: jfreechart-1.0.19.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.jfree/jfreechart@.*$</packageUrl>
        <vulnerabilityName>CVE-2024-23076</vulnerabilityName>
    </suppress>

    <!--
    suppress CVEs bzip2-0.9.1.jar which enters through DiscvrLabKeyModules/SequenceAnalysis and is matching CVEs from the bzip2 command-line utility
    -->
    <suppress>
        <notes><![CDATA[
   file name: bzip2-0.9.1.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.itadaki/bzip2@.*$</packageUrl>
        <cve>CVE-2019-12900</cve>
        <cve>CVE-2011-4089</cve>
        <cve>CVE-2010-0405</cve>
        <cve>CVE-2005-1260</cve>
    </suppress>

    <!--
    suppress CVE-2024-45772 for lucene 9.10, fixed in develop with bump to 9.12
    -->
    <suppress>
        <notes><![CDATA[
   file name: lucene-analysis-common-9.10.0.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.lucene/lucene-analysis-common@.*$</packageUrl>
        <cve>CVE-2024-45772</cve>
    </suppress>

    <suppress>
        <notes><![CDATA[
   file name: lucene-backward-codecs-9.10.0.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.lucene/lucene-backward-codecs@.*$</packageUrl>
        <cve>CVE-2024-45772</cve>
    </suppress>

    <suppress>
        <notes><![CDATA[
   file name: lucene-core-9.10.0.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.lucene/lucene-core@.*$</packageUrl>
        <cve>CVE-2024-45772</cve>
    </suppress>

    <suppress>
        <notes><![CDATA[
   file name: lucene-queries-9.10.0.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.lucene/lucene-queries@.*$</packageUrl>
        <cve>CVE-2024-45772</cve>
    </suppress>

    <suppress>
        <notes><![CDATA[
   file name: lucene-queryparser-9.10.0.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.lucene/lucene-queryparser@.*$</packageUrl>
        <cve>CVE-2024-45772</cve>
    </suppress>

    <suppress>
        <notes><![CDATA[
   file name: lucene-sandbox-9.10.0.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.lucene/lucene-sandbox@.*$</packageUrl>
        <cve>CVE-2024-45772</cve>
    </suppress>
    <!-- end of lucene suppressions -->

    <!--
    suppress glassfish false positives, being corrected in:
    https://github.com/jeremylong/DependencyCheck/issues/7015
    https://github.com/jeremylong/DependencyCheck/pull/7016
    https://github.com/jeremylong/DependencyCheck/pull/7024
    -->
    <suppress>
        <notes><![CDATA[
   file name: jaxb-core-4.0.3.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.glassfish\.jaxb/jaxb-core@.*$</packageUrl>
        <cve>CVE-2024-9329</cve>
    </suppress>

    <suppress>
        <notes><![CDATA[
   file name: jaxb-core-4.0.5.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.glassfish\.jaxb/jaxb-core@.*$</packageUrl>
        <cve>CVE-2024-9329</cve>
    </suppress>

    <suppress>
        <notes><![CDATA[
   file name: jaxb-core-4.0.5.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.glassfish\.jaxb/jaxb-core@.*$</packageUrl>
        <cve>CVE-2024-9329</cve>
    </suppress>

    <suppress>
        <notes><![CDATA[
   file name: jaxb-runtime-4.0.3.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.glassfish\.jaxb/jaxb-runtime@.*$</packageUrl>
        <cve>CVE-2024-9329</cve>
    </suppress>

    <suppress>
        <notes><![CDATA[
   file name: jaxb-runtime-4.0.5.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.glassfish\.jaxb/jaxb-runtime@.*$</packageUrl>
        <cve>CVE-2024-9329</cve>
    </suppress>

    <suppress>
        <notes><![CDATA[
   file name: osgi-resource-locator-1.0.3.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.glassfish\.hk2/osgi-resource-locator@.*$</packageUrl>
        <cve>CVE-2024-9329</cve>
    </suppress>

    <suppress>
        <notes><![CDATA[
   file name: txw2-4.0.3.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.glassfish\.jaxb/txw2@.*$</packageUrl>
        <cve>CVE-2024-9329</cve>
    </suppress>

    <suppress>
        <notes><![CDATA[
   file name: txw2-4.0.5.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.glassfish\.jaxb/txw2@.*$</packageUrl>
        <cve>CVE-2024-9329</cve>
    </suppress>
    <!-- end of glassfish false positive suppressions -->

</suppressions>