update dependency-check suppressions
authorUdo Schnurpfeil <lofwyr@apache.org>
Sun, 23 Sep 2018 16:50:43 +0000 (18:50 +0200)
committerUdo Schnurpfeil <lofwyr@apache.org>
Sun, 23 Sep 2018 16:50:43 +0000 (18:50 +0200)
other/checkstyle-rules/src/main/resources/tobago/dependency-check-suppression-for-tobago-2.x.xml [moved from other/checkstyle-rules/src/main/resources/tobago/dependency-check-suppression-for-tobago-2.0.xml with 61% similarity]
other/checkstyle-rules/src/main/resources/tobago/dependency-check-suppression-for-tobago-3.x.xml [new file with mode: 0644]
other/checkstyle-rules/src/main/resources/tobago/dependency-check-suppression.xml

     <gav regex="true">^org\.apache\.myfaces\.tobago:.*:.*$</gav>
     <cve>CVE-2011-4343</cve>
   </suppress>
+  <suppress>
+    <notes><![CDATA[ subject of CVE is a feature not used by Tobago, also log4j its only used in examples ]]></notes>
+    <gav regex="true">^org\.zenframework\.z8\.dependencies\.commons:log4j-1\.2\.17:.*$</gav>
+    <cve>CVE-2017-5645</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[ seems not to be relevant for Tobago, because it's only used to build themes ]]></notes>
+    <gav regex="true">^org\.codehaus\.plexus:plexus-archiver:.*$</gav>
+    <cve>CVE-2018-1002207</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[ file name: geronimo-validation_1.1_spec-1.0.jar ]]></notes>
+    <gav regex="true">^org\.apache\.geronimo\.specs:geronimo-validation_1\.1_spec:.*$</gav>
+    <cve>CVE-2013-4499</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[ addressbook demo ]]></notes>
+    <gav regex="true">^org\.apache\.derby:derby:.*$</gav>
+    <cve>CVE-2018-1313</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[ file name: batik-xml-1.9.jar batik-i18n-1.9.ja ]]></notes>
+    <gav regex="true">^org\.apache\.xmlgraphics:batik-.*:.*$</gav>
+    <cve>CVE-2018-8013</cve>
+  </suppress>
 </suppressions>
diff --git a/other/checkstyle-rules/src/main/resources/tobago/dependency-check-suppression-for-tobago-3.x.xml b/other/checkstyle-rules/src/main/resources/tobago/dependency-check-suppression-for-tobago-3.x.xml
new file mode 100644 (file)
index 0000000..1af901d
--- /dev/null
@@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd"
+              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+              xsi:schemaLocation="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
+  <suppress>
+    <notes><![CDATA[ file name: xbean-asm6-shaded-4.5.jar ]]></notes>
+    <gav regex="true">^org\.apache\.xbean:xbean-asm6-shaded:.*$</gav>
+    <cpe>cpe:/a:apache:geronimo</cpe>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[ file name: xbean-asm5-shaded-4.1.jar ]]></notes>
+    <gav regex="true">^org\.apache\.xbean:xbean-asm5-shaded:.*$</gav>
+    <cpe>cpe:/a:apache:geronimo</cpe>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[ file name: xbean-finder-shaded-4.1.jar ]]></notes>
+    <gav regex="true">^org\.apache\.xbean:xbean-finder-shaded:.*$</gav>
+    <cpe>cpe:/a:apache:geronimo</cpe>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[ file name: xbean-finder-shaded-4.5.jar ]]></notes>
+    <gav regex="true">^org\.apache\.xbean:xbean-finder-shaded:.*$</gav>
+    <cpe>cpe:/a:finder_project:finder</cpe>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[ file name: geronimo-el_2.2_spec-1.0.4.jar ]]></notes>
+    <gav regex="true">^org\.apache\.geronimo\.specs:geronimo-el_2\.2_spec:.*$</gav>
+    <cpe>cpe:/a:apache:geronimo</cpe>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[ file name: geronimo-servlet_3.0_spec-1.0.jar ]]></notes>
+    <gav regex="true">^org\.apache\.geronimo\.specs:geronimo-servlet_3\.0_spec:.*$</gav>
+    <cpe>cpe:/a:apache:geronimo</cpe>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[ file name: geronimo-validation_1.1_spec-1.0.jar ]]></notes>
+    <gav regex="true">^org\.apache\.geronimo\.specs:geronimo-validation_1\.1_spec:.*$</gav>
+    <cve>CVE-2013-4499</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[ addressbook demo ]]></notes>
+    <gav regex="true">^org\.apache\.derby:derby:.*$</gav>
+    <cve>CVE-2018-1313</cve>
+  </suppress>
+</suppressions>
index b0b8d45..a51a31f 100644 (file)
@@ -32,4 +32,9 @@
     <gav regex="true">^org\.apache\.geronimo\.specs:geronimo-servlet_3\.0_spec:.*$</gav>
     <cpe>cpe:/a:apache:geronimo</cpe>
   </suppress>
+  <suppress>
+    <notes><![CDATA[ file name: geronimo-validation_1.1_spec-1.0.jar ]]></notes>
+    <gav regex="true">^org\.apache\.geronimo\.specs:geronimo-validation_1\.1_spec:.*$</gav>
+    <cve>CVE-2013-4499</cve>
+  </suppress>
 </suppressions>