suppression.xml

<?xml version="1.0" encoding="UTF-8"?>
<!-- This file lists false positives found by org.owasp:dependency-check-maven build plugin -->
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
	<suppress>
		<notes><![CDATA[
		Suppress all for this javax.servlet api package:
		There are lots of false positives, simply because its version number is way beyond the remaining
		org.eclipse.jetty jar files. Note, that our actual Jetty version is different.

		As long as we don't suppress anything in org.eclipse.jetty:jetty-server or :jetty-servlet,
		vulnerabilities will still trigger if we actually use an outdated Jetty version.
		]]></notes>
		<gav>org.eclipse.jetty.toolchain:jetty-servlet-api:4.0.6</gav>
		<cpe regex="true">.*</cpe>
	</suppress>
	<suppress>
		<notes><![CDATA[
			Incorrectly matched CPE, see https://github.com/jeremylong/DependencyCheck/issues/4177git
		]]></notes>
		<gav regex="true">org\.cryptomator:.*</gav>
		<cpe>cpe:/a:cryptomator:cryptomator</cpe>
		<cve>CVE-2022-25366</cve>
	</suppress>
	<suppress>
		<notes><![CDATA[
  		Suppress false positive, because com.google.common.io.Files.getTempDir() is not used
   ]]></notes>
		<packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
		<vulnerabilityName>CVE-2020-8908</vulnerabilityName>
		<cve>CVE-2020-8908</cve>
	</suppress>
	<suppress>
   		<notes><![CDATA[
			The project does not use the HttpURI class at all, so no decoded user data is passed to it.
			See also https://github.com/jetty/jetty.project/security/advisories/GHSA-qh8g-58pp-2wxh.
		]]></notes>
   		<packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty/jetty-http@.*$</packageUrl>
   		<vulnerabilityName>CVE-2024-6763</vulnerabilityName>
</suppress>

</suppressions>