-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathowasp-suppressions.xml
43 lines (43 loc) · 2 KB
/
owasp-suppressions.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress>
<notes><![CDATA[
Any hypertrace dep
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.hypertrace\..*@.*$</packageUrl>
<cpe>cpe:/a:grpc:grpc</cpe>
<cpe>cpe:/a:utils_project:utils</cpe>
<cpe>cpe:/a:processing:processing</cpe>
</suppress>
<suppress until="2023-12-31Z">
<notes><![CDATA[
This vulnerability is disputed, with the argument that SSL configuration is the responsibility of the client rather
than the transport. The change in default is under consideration for the next major Netty release, revisit then.
Regardless, our client (which is what brings in this dependency) enables the concerned feature, hostname verification
Ref:
https://github.com/grpc/grpc-java/issues/10033
https://github.com/netty/netty/issues/8537#issuecomment-1527896917
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.netty/netty.*@.*$</packageUrl>
<vulnerabilityName>CVE-2023-4586</vulnerabilityName>
</suppress>
<suppress until="2023-12-31Z">
<notes><![CDATA[
This CVE is declared fixed from 9.4.52, but the vuln db is not reflecting that. Suppress that specific version until
db is updated.
Ref:
https://github.com/eclipse/jetty.project/security/advisories/GHSA-3gh6-v5v9-6v9j
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty/jetty\[email protected]\..*$</packageUrl>
<vulnerabilityName>CVE-2023-36479</vulnerabilityName>
</suppress>
<suppress until="2023-12-31Z">
<notes><![CDATA[
This CVE (rapid RST) is already mitigated as our servers aren't directly exposed, but it's also
addressed in 1.59.1, which the CVE doesn't reflect (not all grpc impls versions are exactly aligned).
Ref: https://github.com/grpc/grpc-java/pull/10675
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.grpc/grpc\-.*@.*$</packageUrl>
<cve>CVE-2023-44487</cve>
</suppress>
</suppressions>