owasp-suppressions.xml

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
    <suppress>
        <notes>
            apache:http_server is not used.
        </notes>
        <cpe>cpe:/a:apache:http_server</cpe>
    </suppress>
    <suppress base="true">
        <notes><![CDATA[
        FP per #3889
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/io\.netty/netty\-tcnative\-classes@.*$</packageUrl>
        <cpe>cpe:/a:netty:netty</cpe>
    </suppress>

    <!-- CVE with outdated Netty versions imported from HerdDB. They are not packaged-->
    <suppress>
        <notes><![CDATA[
   file name: herddb-net-0.24.0.jar
   ]]></notes>
        <sha1>353d53df73cc1d885ca0bfdf6cc59c0942a5310c</sha1>
        <cve>CVE-2014-3488</cve>
    </suppress>
    <suppress>
        <notes><![CDATA[
   file name: herddb-net-0.24.0.jar
   ]]></notes>
        <sha1>353d53df73cc1d885ca0bfdf6cc59c0942a5310c</sha1>
        <cve>CVE-2015-2156</cve>
    </suppress>
    <suppress>
        <notes><![CDATA[
   file name: herddb-net-0.24.0.jar
   ]]></notes>
        <sha1>353d53df73cc1d885ca0bfdf6cc59c0942a5310c</sha1>
        <cve>CVE-2019-16869</cve>
    </suppress>
    <suppress>
        <notes><![CDATA[
   file name: herddb-net-0.24.0.jar
   ]]></notes>
        <sha1>353d53df73cc1d885ca0bfdf6cc59c0942a5310c</sha1>
        <cve>CVE-2019-20444</cve>
    </suppress>
    <suppress>
        <notes><![CDATA[
   file name: herddb-net-0.24.0.jar
   ]]></notes>
        <sha1>353d53df73cc1d885ca0bfdf6cc59c0942a5310c</sha1>
        <cve>CVE-2019-20445</cve>
    </suppress>
    <suppress>
        <notes><![CDATA[
   file name: herddb-net-0.24.0.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.herddb/herddb\-net@.*$</packageUrl>
        <cve>CVE-2021-21290</cve>
    </suppress>
    <suppress>
        <notes><![CDATA[
   file name: herddb-net-0.24.0.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.herddb/herddb\-net@.*$</packageUrl>
        <cve>CVE-2021-21295</cve>
    </suppress>
    <suppress>
        <notes><![CDATA[
   file name: herddb-net-0.24.0.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.herddb/herddb\-net@.*$</packageUrl>
        <cve>CVE-2021-21409</cve>
    </suppress>
    <suppress>
        <notes><![CDATA[
   file name: herddb-net-0.24.0.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.herddb/herddb\-net@.*$</packageUrl>
        <cve>CVE-2021-37136</cve>
    </suppress>
    <suppress>
        <notes><![CDATA[
   file name: herddb-net-0.24.0.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.herddb/herddb\-net@.*$</packageUrl>
        <cve>CVE-2021-37137</cve>
    </suppress>
    <suppress>
        <notes><![CDATA[
   file name: herddb-net-0.24.0.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.herddb/herddb\-net@.*$</packageUrl>
        <cve>CVE-2021-43797</cve>
    </suppress>

    <!-- owasp thinks 1.0.2 is after 1.0.2.3 -->
    <suppress>
        <notes><![CDATA[
   file name: bc-fips-1.0.2.3.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.bouncycastle/bc\-fips@.*$</packageUrl>
        <cve>CVE-2020-26939</cve>
    </suppress>

    <!-- avatica get confused with calcite-->
    <suppress>
        <notes><![CDATA[
   file name: avatica-core-1.19.0.jar
   ]]></notes>
        <sha1>2f9d48f95b4c6a9895c2eb8cb7533b3da78b3723</sha1>
        <cve>CVE-2020-13955</cve>
    </suppress>
    <suppress>
        <notes><![CDATA[
   file name: avatica-metrics-1.19.0.jar
   ]]></notes>
        <sha1>27bb4c226ed533a763bbf1c012b2f6dbea360f5a</sha1>
        <cve>CVE-2020-13955</cve>
    </suppress>
</suppressions>