Suppress spurious/not applicable jfreechart CVEs

Unidata · Jun 27, 2024 · 34a549b · 34a549b
1 parent 3a8008e
commit 34a549b
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/project-files/owasp-dependency-check/dependency-check-suppression.xml b/project-files/owasp-dependency-check/dependency-check-suppression.xml
@@ -146,4 +146,24 @@
     <packageUrl regex="true">^pkg:maven/org\.quartz\-scheduler/quartz@.*$</packageUrl>
     <cve>CVE-2023-39017</cve>
   </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: thredds-5.5-SNAPSHOT.war: jfreechart-1.0.19.jar
+   reason: Disputed CVEs and we do not use the vulnerable components (BubbleXYItemLabelGenerator.java, /chart/annotations/CategoryLineAnnotation, setSeriesNeedle)
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.jfree/jfreechart@.*$</packageUrl>
+    <vulnerabilityName>CVE-2024-23076</vulnerabilityName>
+    <vulnerabilityName>CVE-2024-22949</vulnerabilityName>
+    <vulnerabilityName>CVE-2023-52070</vulnerabilityName>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: file name: tds-ui-5.5-SNAPSHOT.tar: jfreechart-1.0.19.jar
+   reason: Disputed CVEs and we do not use the vulnerable components (BubbleXYItemLabelGenerator.java, /chart/annotations/CategoryLineAnnotation, setSeriesNeedle)
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.jfree/jfreechart@.*$</packageUrl>
+    <vulnerabilityName>CVE-2024-23076</vulnerabilityName>
+    <vulnerabilityName>CVE-2024-22949</vulnerabilityName>
+    <vulnerabilityName>CVE-2023-52070</vulnerabilityName>
+  </suppress>
 </suppressions>