Update dependency check supressions (#4931)

helidon-io · Sep 22, 2022 · 6d569f4 · 6d569f4
1 parent c7bed04
commit 6d569f4
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 1 deletion.
diff --git a/etc/dependency-check-suppression.xml b/etc/dependency-check-suppression.xml
@@ -316,5 +316,26 @@
    <cve>CVE-2022-37422</cve>
 </suppress>
 
+<!-- False Positive. This CVE is fixed in snakeyaml-1.32 which we use, but CVE has not been updated.
+     See https://github.com/jeremylong/DependencyCheck/issues/4839
+-->
+<suppress>
+   <notes><![CDATA[
+   file name: snakeyaml-1.32.jar
+   ]]></notes>
+   <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
+   <vulnerabilityName>CVE-2022-38752</vulnerabilityName>
+</suppress>
+
+<!-- False Positive. This CVE is against graphql-java, not the microprofile-graphql-api
+-->
+<suppress>
+   <notes><![CDATA[
+   file name: microprofile-graphql-api-2.0.jar
+   ]]></notes>
+   <packageUrl regex="true">^pkg:maven/org\.eclipse\.microprofile\.graphql/microprofile\-graphql\-api@.*$</packageUrl>
+   <cve>CVE-2022-37734</cve>
+</suppress>
+
 
 </suppressions>
diff --git a/pom.xml b/pom.xml
@@ -116,7 +116,7 @@
         <version.plugin.source>3.0.1</version.plugin.source>
         <version.plugin.spotbugs>4.4.2.2</version.plugin.spotbugs>
         <version.plugin.findsecbugs>1.11.0</version.plugin.findsecbugs>
-        <version.plugin.dependency-check>7.1.1</version.plugin.dependency-check>
+        <version.plugin.dependency-check>7.2.1</version.plugin.dependency-check>
         <version.plugin.surefire>3.0.0-M5</version.plugin.surefire>
         <version.plugin.toolchains>1.1</version.plugin.toolchains>
         <version.plugin.version-plugin>2.3</version.plugin.version-plugin>