Code development platform for open source projects from the European Union institutions

Skip to content
Snippets Groups Projects
Select Git revision
  • EDELIVERY-14844-Automate-UI-tests-for-the-DomiSMP-project---Part7
  • development default
  • EDELIVERY-14698-Automate-UI-tests-for-the-DomiSMP-project---Part6
  • EDELIVERY-14751-unit-integration-tests-report-parameters
  • bugfix/EDELIVERY-14521-editresources-select-reference-document-searches-for-subresource-document
  • EDELIVERY-14617-Automate-UI-tests-for-the-DomiSMP-project---Part5
  • EDELIVERY-14502-upgrade-domismp
  • EDELIVERY-14472-Automate-UI-tests-for-the-DomiSMP-project---Part3
  • EDELIVERY-14502-upgrade-libraries-and-plugins
  • EDELIVERY-14467-upgrade-libraries-and-plugins
  • EDELIVERY-14388-Automate-UI-tests-for-the-DomiSMP-project---Part2
  • EDELIVERY-14281-Automate-UI-tests-for-the-DomiSMP-project---Part1
  • EDELIVERY-14228-domismp-code-coverage
  • master protected
  • EDELIVERY-14227-test-release-branch
  • EDELIVERY-14013-Test-automation-Create-1-happy-flow-for-the-new-functionality-added-in-5.1
  • cleanSMP10SoapUItests
  • bugfix/EDELIVERY-14217-user-is-unable-to-open-resource-documents-without-schema
  • reduceCronAndSleepTime
  • feature/EDELIVERY-14203-docker-configure-tomcat-image-to-use-https
  • 5.1
  • 5.1-TEST
  • 5.1-RC1
  • 5.0.1
  • 5.0
  • 5.0-RC1
  • 4.2
  • 4.2-RC1
  • 4.1.2
  • 4.1.1
  • 4.1.0
  • 4.1.0-RC1
  • 4.0.0
  • 4.0.0-RC1
  • 3.0.2
  • 3.0.1
  • 3.0.0
37 results
Blame Permalink
Code owners
Assign users and groups as approvers for specific file changes. Learn more.
owasp-false-positive-warnings.xml 4.45 KiB 
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd"
              xsi:schemaLocation="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd
              https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
    <suppress>
        <notes><![CDATA[
   file name: spring-security-crypto-5.8.*.jar
   The data serialized by the application is trusted
   NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-crypto@.*$</packageUrl>
        <vulnerabilityName>CVE-2020-5408</vulnerabilityName>
        <cve>CVE-2018-1258</cve>
    </suppress>
    <suppress>
        <notes><![CDATA[
   file name: spring-web-5.3.*.jar
   CVE-2016-1000027 - The data serialized by the application are from authenticated users and trusted
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.springframework/spring\-(web|core)@.*$</packageUrl>
        <cve>CVE-2016-1000027</cve>
        <cve>CVE-2018-1258</cve>
    </suppress>
    <suppress>
        <notes><![CDATA[
   file name: smp.war: spring-core-5.3.31.jar
   The data serialized by the application are from authenticated users and trusted
   NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
   ]]></notes>
        <cve>CVE-2016-1000027</cve>
    </suppress>
    <suppress>
        <notes><![CDATA[
   file name: smp.war: spring-security-*.jar
   ]]></notes>
        <cve>CVE-2018-1258</cve>
    </suppress>

    <suppress>
        <notes><![CDATA[
        CVE-2020-8908 -  we don't use com.google.common.io.Files.createTempDir()
        CVE-2023-2976 - we don't use FileBackedOutputStream
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
        <vulnerabilityName>CVE-2020-8908</vulnerabilityName>
        <vulnerabilityName>CVE-2023-2976</vulnerabilityName>
    </suppress>
    <suppress>
        <notes><![CDATA[
   file name: snakeyaml-1.30.jar
   The vulnerability is not impacting smp.war,
   because is part of spring boot - intended only for demo and testing. Also Yaml configuration is not exposed
   to external users.
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
        <cve>CVE-2022-1471</cve>
        <cve>CVE-2022-25857</cve>
        <cve>CVE-2022-38749</cve>
        <cve>CVE-2022-38751</cve>
        <cve>CVE-2022-38752</cve>
        <cve>CVE-2022-41854</cve>
        <cve>CVE-2022-38750</cve>
    </suppress>
    <suppress>
        <notes><![CDATA[
   file name: jackson-databind-2.15.2.jar
   The vulnerability is not exploitable by SMP usage of the library.
   NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing
   a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
        <cve>CVE-2023-35116</cve>
    </suppress>
    <suppress>
        <notes><![CDATA[
   file name: tomcat-embed-websocket-9.0.x.jar
   The vulnerability is not impacting smp.war,
   because is part of spring boot - intended only for demo and testing.
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.tomcat\.embed/tomcat\-embed\-websocket@.*$</packageUrl>
        <cve>CVE-2023-41080</cve>
    </suppress>
    <suppress>
        <notes><![CDATA[
            File name: joda-time-2.x
            This is transitive library of the 2WaySec, WSS4J 2.4.x: Check if this is needed when using WSS4J is upgrades
            and is not directly used by the 2waySSL library.
            NOTE: Currently the latest version 2.12.7 still report the same issue.
            This is disputed by multiple third parties who believe  there was not reasonable evidence to determine the existence of a vulnerability.
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/joda\-time/joda\-time@.*$</packageUrl>
        <vulnerabilityName>CVE-2024-23080</vulnerabilityName>
    </suppress>
</suppressions>

For further information about the platform and support, please see https://code.europa.eu/info/about