dependencyCheckSuppression.xml

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">

    <!-- Prevent match against unrelated "rengine" at https://github.com/yogeshojha/rengine -->
    <suppress>
        <notes><![CDATA[
      file name: rengine-0.6-8.1.jar
      ]]></notes>
        <packageUrl regex="true">^pkg:maven/net\.rforge/rengine@.*$</packageUrl>
        <cve>CVE-2022-1813</cve>
        <cve>CVE-2021-39491</cve>
    </suppress>
    <suppress>
        <notes><![CDATA[
   file name: rserve-0.6-8.1.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/net\.rforge/rserve@.*$</packageUrl>
        <cve>CVE-2022-1813</cve>
        <cve>CVE-2021-39491</cve>
    </suppress>

    <!--
    GWT uses Protobuf internally but doesn't expose it, meaning the handful of CVEs in 2.5.0 are not a concern.
    https://github.com/gwtproject/gwt/issues/9778
    -->
    <suppress>
        <notes><![CDATA[
   file name: gwt-servlet-2.11.0.jar (shaded: com.google.protobuf:protobuf-java:2.5.0)
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/com\.google\.protobuf/protobuf\-java@.*$</packageUrl>
        <cpe>cpe:/a:google:protobuf-java</cpe>
        <vulnerabilityName>CVE-2022-3509</vulnerabilityName>
        <vulnerabilityName>CVE-2021-22569</vulnerabilityName>
    </suppress>

    <suppress>
        <notes><![CDATA[
   file name: gwt-servlet-jakarta-2.11.0.jar (shaded: com.google.protobuf:protobuf-java:2.5.0)
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/com\.google\.protobuf/protobuf\-java@.*$</packageUrl>
        <cpe>cpe:/a:google:protobuf-java</cpe>
        <vulnerabilityName>CVE-2024-7254</vulnerabilityName>
    </suppress>

    <!-- Tangled CVEs. See https://github.com/jeremylong/DependencyCheck/issues/4614 and https://github.com/OSSIndex/vulns/issues/316 -->
    <suppress>
        <notes><![CDATA[
   file name: xercesImpl-2.12.2.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/xerces/xercesImpl@.*$</packageUrl>
        <vulnerabilityName>CVE-2017-10355</vulnerabilityName>
    </suppress>

    <!--
    For our purposes, Random is good enough, and not worth publishing our own version of the artifact that uses
    SecureRandom. https://github.com/penggle/kaptcha/issues/3
    -->
    <suppress>
        <notes><![CDATA[
   file name: kaptcha-2.3.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/com\.google\.code\.kaptcha/kaptcha@.*$</packageUrl>
        <cve>CVE-2018-18531</cve>
    </suppress>

    <!-- False positive - we're not bundling Struts as part of Mule -->
    <suppress>
        <notes><![CDATA[
   file name: mule-module-builders-1.4.4e.jar (shaded: org.mule.modules:mule-module-ognl:1.4.4)
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.mule\.modules/mule\-module\-ognl@.*$</packageUrl>
        <cve>CVE-2016-3093</cve>
    </suppress>

    <!-- False positive - we're not bundling Windows PGP -->
    <suppress>
        <notes><![CDATA[
   file name: mule-module-builders-1.4.4e.jar (shaded: org.mule.modules:mule-module-pgp:1.4.4)
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.mule\.modules/mule\-module\-pgp@.*$</packageUrl>
        <cve>CVE-2001-0265</cve>
    </suppress>

    <!-- No WebSockets for Mule, so no risk -->
    <suppress>
        <notes><![CDATA[
   file name: mule-module-builders-1.4.4e.jar (shaded: org.mule.modules:mule-module-wssecurity:1.4.4)
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.mule\.modules/mule\-module\-wssecurity@.*$</packageUrl>
        <cve>CVE-2021-4236</cve>
    </suppress>

    <!-- No FTP for Mule, so no risk -->
    <suppress>
        <notes><![CDATA[
   file name: mule-module-builders-1.4.4e.jar (shaded: org.mule.transports:mule-transport-ftp:1.4.4)
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.mule\.transports/mule\-transport\-ftp@.*$</packageUrl>
        <cve>CVE-2023-22551</cve>
    </suppress>

    <!-- False positive - different XFire, and we're certainly not opening UDP port 25777 -->
    <suppress>
        <notes><![CDATA[
   file name: mule-module-builders-1.4.4e.jar (shaded: org.mule.transports:mule-transport-xfire:1.4.4)
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.mule\.transports/mule\-transport\-xfire@.*$</packageUrl>
        <cve>CVE-2006-5391</cve>
    </suppress>

    <!--
    This is a dependency of Java-FPDF, used by the WNPRC billing module for PDF generation, which hasn't been updated
    to reference the now-renamed Commons Imaging library instead of the old Sanselan incubator. The CVE is related
    to file parsing, not generation so we're not vulnerable
    -->
    <suppress>
        <notes><![CDATA[
   file name: sanselan-0.97-incubator.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.sanselan/sanselan@.*$</packageUrl>
        <vulnerabilityName>CVE-2018-17201</vulnerabilityName>
    </suppress>

    <!--
    GraalJS shaded and re-versioned icu4j without changing the file name, leading to many old CVEs getting tagged.
    This should be fixed soon, but suppress all CVEs for now. https://github.com/oracle/graal/issues/8204
    -->
    <suppress>
        <notes><![CDATA[
   file name: icu4j-23.1.2.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.graalvm\.shadowed/icu4j@.*$</packageUrl>
        <cpe>cpe:/a:icu-project:international_components_for_unicode</cpe>
        <cpe>cpe:/a:unicode:international_components_for_unicode</cpe>
        <cpe>cpe:/a:unicode:unicode</cpe>
    </suppress>

    <!--
    The Tomcat jaspic-api and jsp-api jars are false positives, for some reason matching against Tomcat 3.0. See
    https://github.com/jeremylong/DependencyCheck/issues/5659, which has been raised, but no response.
    -->
    <suppress>
        <notes><![CDATA[
   file name: tomcat-jaspic-api-10.1.34.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.tomcat/tomcat\-jaspic\-api@.*$</packageUrl>
        <cpe>cpe:/a:apache:tomcat</cpe>
    </suppress>

    <suppress>
        <notes><![CDATA[
   file name: tomcat-jsp-api-10.1.34.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.tomcat/tomcat\-jsp\-api@.*$</packageUrl>
        <cpe>cpe:/a:apache:tomcat</cpe>
    </suppress>

    <!--
    suppress CVE-2023-52070 for jfreechart, may become moot after subsequent upgrades
    -->
    <suppress>
        <notes><![CDATA[
   file name: jfreechart-1.0.19.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.jfree/jfreechart@.*$</packageUrl>
        <vulnerabilityName>CVE-2023-52070</vulnerabilityName>
    </suppress>

    <!-- We don't use the sun.io.useCanonCaches setting referenced by this CVE.  -->
    <suppress>
        <notes><![CDATA[
   file name: tomcat-catalina-10.1.34.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.tomcat/tomcat-catalina@.*$</packageUrl>
        <vulnerabilityName>CVE-2024-56337</vulnerabilityName>
    </suppress>
</suppressions>