From a906d589c8d28b55514337d8078f2bbe6a4e8fb0 Mon Sep 17 00:00:00 2001
From: Nate Danner <nate.danner@gmail.com>
Date: Mon, 17 Oct 2022 09:08:31 -0700
Subject: [PATCH] chore: suppress jackson-databind (#6)

---
 build.gradle.kts |  1 +
 suppressions.xml | 12 ++++++++++++
 2 files changed, 13 insertions(+)
 create mode 100644 suppressions.xml

diff --git a/build.gradle.kts b/build.gradle.kts
index 7d6e9f6..c5d6855 100644
--- a/build.gradle.kts
+++ b/build.gradle.kts
@@ -47,6 +47,7 @@ configure<nebula.plugin.release.git.base.ReleasePluginExtension> {
 
 dependencyCheck {
     analyzers.assemblyEnabled = false
+    suppressionFile = "suppressions.xml"
     failBuildOnCVSS = 9.0F
 }
 
diff --git a/suppressions.xml b/suppressions.xml
new file mode 100644
index 0000000..d3f9ef2
--- /dev/null
+++ b/suppressions.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+    <suppress until="2022-11-17Z">
+        <notes><![CDATA[
+                file name: jackson-databind-2.13.4.jar
+                sev:HIGH
+                In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
+            ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@2.13.*$</packageUrl>
+        <cve>CVE-2022-42003</cve>
+    </suppress>
+</suppressions>
\ No newline at end of file