owasp-dependency-suppression.xml

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
<suppress>
   <notes><![CDATA[
   file name: xz-1.8.jar (vulnerable script xzgrep is not used nor included by Nuxeo)
   ]]></notes>
   <gav regex="true">^org\.tukaani:xz:.*$</gav>
   <cve>CVE-2015-4035</cve>
</suppress>
<suppress>
   <notes><![CDATA[
   file name: geronimo-transaction-2.2.1.jar
   (CVE-2008-0732: vulnerable Geronimo SUSE init script is not used nor included by Nuxeo)
   (CVE-2011-5034: vulnerable code not in geronimo-transaction)
   ]]></notes>
   <gav regex="true">^org\.apache\.geronimo\.components:geronimo-transaction:.*$</gav>
   <cve>CVE-2008-0732</cve>
   <cve>CVE-2011-5034</cve>
</suppress>
<suppress>
   <notes><![CDATA[
   file name: xbean-naming-3.18.jar (vulnerable Geronimo SUSE init script is not used nor included by Nuxeo)
   ]]></notes>
   <gav regex="true">^org\.apache\.xbean:xbean-naming:.*$</gav>
   <cve>CVE-2008-0732</cve>
</suppress>
<suppress>
   <notes><![CDATA[
   file name: vaadin-sass-compiler-0.9.12-NX01.jar (vulnerability is in vaadin itself, not sass-compiler)
   ]]></notes>
   <gav regex="true">^com\.vaadin:vaadin-sass-compiler:.*$</gav>
   <cve>CVE-2011-0509</cve>
</suppress>
<suppress>
   <notes><![CDATA[
   file name: annotations-12.0.jar (vulnerability is not in annotations)
   ]]></notes>
   <gav regex="true">^com\.intellij:annotations:.*$</gav>
   <cve>CVE-2017-8316</cve>
</suppress>
<suppress>
   <notes><![CDATA[
   file name: scala-library-2.12.3.jar (vulnerable compilation daemon is not used nor included by Nuxeo)
   ]]></notes>
   <gav regex="true">^org\.scala-lang:scala-library:.*$</gav>
   <cve>CVE-2017-15288</cve>
</suppress>
<suppress>
   <notes><![CDATA[
   file name: scala-reflect-2.12.3.jar (vulnerable compilation daemon is not used nor included by Nuxeo)
   ]]></notes>
   <gav regex="true">^org\.scala-lang:scala-reflect:.*$</gav>
   <cve>CVE-2017-15288</cve>
</suppress>
<suppress>
   <notes><![CDATA[
   Jetty is only used in tests
   ]]></notes>
   <cve>CVE-2017-7656</cve>
   <cve>CVE-2017-7657</cve>
   <cve>CVE-2017-7658</cve>
   <cve>CVE-2017-9735</cve>
</suppress>
<suppress>
   <notes><![CDATA[
   Spurious match of old Tomcat CVEs.
   ]]></notes>
   <cve>CVE-2000-0672</cve>
   <cve>CVE-2000-0760</cve>
   <cve>CVE-2000-1210</cve>
   <cve>CVE-2001-0590</cve>
   <cve>CVE-2002-0493</cve>
   <cve>CVE-2002-1148</cve>
   <cve>CVE-2002-1394</cve>
   <cve>CVE-2002-2006</cve>
   <cve>CVE-2002-2272</cve>
   <cve>CVE-2003-0042</cve>
   <cve>CVE-2003-0043</cve>
   <cve>CVE-2003-0044</cve>
   <cve>CVE-2003-0045</cve>
   <cve>CVE-2003-0866</cve>
   <cve>CVE-2005-0808</cve>
   <cve>CVE-2005-4838</cve>
   <cve>CVE-2006-7196</cve>
   <cve>CVE-2007-0450</cve>
   <cve>CVE-2007-1355</cve>
   <cve>CVE-2007-1358</cve>
   <cve>CVE-2007-2449</cve>
   <cve>CVE-2007-2450</cve>
   <cve>CVE-2007-3382</cve>
   <cve>CVE-2007-3383</cve>
   <cve>CVE-2007-3385</cve>
   <cve>CVE-2007-3386</cve>
   <cve>CVE-2007-5333</cve>
   <cve>CVE-2007-5342</cve>
   <cve>CVE-2007-5461</cve>
   <cve>CVE-2007-6286</cve>
   <cve>CVE-2008-0128</cve>
   <cve>CVE-2008-1232</cve>
   <cve>CVE-2008-1947</cve>
   <cve>CVE-2008-2370</cve>
   <cve>CVE-2008-2938</cve>
   <cve>CVE-2008-5515</cve>
   <cve>CVE-2008-5519</cve>
   <cve>CVE-2009-0033</cve>
   <cve>CVE-2009-0580</cve>
   <cve>CVE-2009-0781</cve>
   <cve>CVE-2009-0783</cve>
   <cve>CVE-2009-2693</cve>
   <cve>CVE-2009-2696</cve>
   <cve>CVE-2009-2901</cve>
   <cve>CVE-2009-2902</cve>
   <cve>CVE-2009-3548</cve>
   <cve>CVE-2010-1157</cve>
   <cve>CVE-2010-2227</cve>
   <cve>CVE-2010-3718</cve>
   <cve>CVE-2010-4312</cve>
   <cve>CVE-2011-0013</cve>
   <cve>CVE-2011-0534</cve>
   <cve>CVE-2011-1184</cve>
   <cve>CVE-2011-2204</cve>
   <cve>CVE-2011-2526</cve>
   <cve>CVE-2011-3190</cve>
   <cve>CVE-2011-4858</cve>
   <cve>CVE-2011-5062</cve>
   <cve>CVE-2011-5063</cve>
   <cve>CVE-2011-5064</cve>
   <cve>CVE-2012-0022</cve>
   <cve>CVE-2012-2733</cve>
   <cve>CVE-2012-3544</cve>
   <cve>CVE-2012-3546</cve>
   <cve>CVE-2012-4431</cve>
   <cve>CVE-2012-4534</cve>
   <cve>CVE-2012-5568</cve>
   <cve>CVE-2012-5885</cve>
   <cve>CVE-2012-5886</cve>
   <cve>CVE-2012-5887</cve>
   <cve>CVE-2013-2185</cve>
   <cve>CVE-2013-4286</cve>
   <cve>CVE-2013-4322</cve>
   <cve>CVE-2013-4444</cve>
   <cve>CVE-2013-4590</cve>
   <cve>CVE-2013-6357</cve>
   <cve>CVE-2014-0075</cve>
   <cve>CVE-2014-0096</cve>
   <cve>CVE-2014-0099</cve>
   <cve>CVE-2014-0119</cve>
   <cve>CVE-2014-0227</cve>
   <cve>CVE-2014-0230</cve>
   <cve>CVE-2014-7810</cve>
   <cve>CVE-2015-5174</cve>
   <cve>CVE-2015-5345</cve>
   <cve>CVE-2016-0706</cve>
   <cve>CVE-2016-0714</cve>
   <cve>CVE-2016-0762</cve>
   <cve>CVE-2016-1240</cve>
   <cve>CVE-2016-5018</cve>
   <cve>CVE-2016-5388</cve>
   <cve>CVE-2016-5425</cve>
   <cve>CVE-2016-6325</cve>
   <cve>CVE-2016-6794</cve>
   <cve>CVE-2016-6796</cve>
   <cve>CVE-2016-6797</cve>
   <cve>CVE-2016-6816</cve>
   <cve>CVE-2016-8735</cve>
   <cve>CVE-2016-9774</cve>
   <cve>CVE-2016-9775</cve>
   <cve>CVE-2017-5647</cve>
   <cve>CVE-2017-6056</cve>
</suppress>
<suppress>
   <notes><![CDATA[
   Elasticsearch Alerting and Monitoring is not used nor included by Nuxeo
   ]]></notes>
   <cve>CVE-2018-3831</cve>
</suppress>
<suppress>
   <notes><![CDATA[
   file name: slf4j-api-1.7.25.jar (vulnerable slf4j-ext is not included in Nuxeo)
   ]]></notes>
   <gav regex="true">^org\.slf4j:slf4j-api:.*$</gav>
   <cve>CVE-2018-8088</cve>
</suppress>
<suppress>
   <notes><![CDATA[
   file name: avro-1.8.2.jar (shaded: com.google.guava:guava:11.0.2)
   Shaded Guava in AVRO does not included the vulnerable AtomicDoubleArray class
   ]]></notes>
   <gav regex="true">^com\.google\.guava:guava:11.0.2$</gav>
   <cve>CVE-2018-10237</cve>
</suppress>

<suppress>
   <notes><![CDATA[
   file name: postgresql-42.2.5.jar (PostgreSQL not included in Nuxeo)
   ]]></notes>
   <gav regex="true">^org\.postgresql:postgresql:.*$</gav>
   <cpe>cpe:/a:postgresql:postgresql</cpe>
</suppress>
<suppress>
   <notes><![CDATA[
   file name: mysql-connector-java-5.1.47.jar (MySQL not included in Nuxeo)
   ]]></notes>
   <gav regex="true">^mysql:mysql-connector-java:.*$</gav>
   <cpe>cpe:/a:mysql:mysql</cpe>
   <cpe>cpe:/a:oracle:mysql</cpe>
</suppress>
<suppress>
   <notes><![CDATA[
   file name: mssql-jdbc-7.0.0.jre8.jar (SQL Server not included in Nuxeo)
   ]]></notes>
   <gav regex="true">^com\.microsoft\.sqlserver:mssql-jdbc:.*$</gav>
   <cpe>cpe:/a:microsoft:sql_server</cpe>
</suppress>
<suppress>
   <notes><![CDATA[
   file name: quartz-mongodb-2.1.0-NX1.jar (MongoDB not included in Nuxeo)
   ]]></notes>
   <gav regex="true">^com\.novemberain:quartz-mongodb:.*$</gav>
   <cpe>cpe:/a:mongodb:mongodb</cpe>
</suppress>

<suppress>
   <notes><![CDATA[
   file name: affinity-3.1.9.jar (wrong identification, net.openhft:affinity != thread_project:thread)
   ]]></notes>
   <gav regex="true">^net\.openhft:affinity:.*$</gav>
   <cpe>cpe:/a:thread_project:thread</cpe>
</suppress>

<suppress>
   <notes><![CDATA[
   file name: ognl-2.7.2.jar (only used in tests; OGNL not used)
   ]]></notes>
   <gav regex="true">^ognl:ognl:.*$</gav>
   <cpe>cpe:/a:ognl_project:ognl</cpe>
</suppress>
<suppress>
   <notes><![CDATA[
   file name: jsoup-1.4.1.jar (only used in tests)
   ]]></notes>
   <gav regex="true">^org\.jsoup:jsoup:.*$</gav>
   <cpe>cpe:/a:jsoup:jsoup</cpe>
</suppress>
<suppress>
   <notes><![CDATA[
   file name: gatling-app-2.3.1.jar (only used in tests)
   ]]></notes>
   <gav regex="true">^io\.gatling:gatling-app:.*$</gav>
   <cpe>cpe:/a:app_project:app</cpe>
</suppress>
</suppressions>