Upgrade libraries and plugins

026fd8ca · Joze RIHTARSIC · 3d6e79ad · 026fd8ca
Commit 026fd8ca authored 1 year ago by Joze RIHTARSIC
--- a/owasp-false-positive-warnings.xml
+++ b/owasp-false-positive-warnings.xml
@@ -3,9 +3,11 @@
              xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd"
              xsi:schemaLocation="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd
              https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-    <suppress>
+    <!--suppress>
        <notes><![CDATA[
   file name: spring-security-crypto-5.8.*.jar
+   The data serialized by the application is trusted
+   NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-crypto@.*$</packageUrl>
        <vulnerabilityName>CVE-2020-5408</vulnerabilityName>
@@ -14,6 +16,7 @@
    <suppress>
        <notes><![CDATA[
   file name: spring-web-5.3.*.jar
+   CVE-2016-1000027 - The data serialized by the application are from authenticated users and trusted
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.springframework/spring\-(web|core)@.*$</packageUrl>
        <cve>CVE-2016-1000027</cve>
@@ -22,6 +25,8 @@
    <suppress>
        <notes><![CDATA[
   file name: smp.war: spring-core-5.3.31.jar
+   The data serialized by the application are from authenticated users and trusted
+   NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
   ]]></notes>
        <sha1>368e76f732a3c331b970f69cafec1525d27b34d3</sha1>
        <cve>CVE-2016-1000027</cve>
@@ -35,6 +40,17 @@
    <suppress>
        <notes><![CDATA[
   file name: guava-30.1-jre.jar
+   CVE-2020-8908 -  we don't use com.google.common.io.Files.createTempDir()
+   CVE-2023-2976 - we don't use FileBackedOutputStream
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
+        <cve>CVE-2020-8908</cve>
+        <cve>CVE-2023-2976</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+        CVE-2020-8908 -  we don't use com.google.common.io.Files.createTempDir()
+        CVE-2023-2976 - we don't use FileBackedOutputStream
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
        <vulnerabilityName>CVE-2020-8908</vulnerabilityName>
@@ -42,7 +58,10 @@
    </suppress>
    <suppress>
        <notes><![CDATA[
-   file name: snakeyaml-1.30.jar part of spring boot - just for demo and testing
+   file name: snakeyaml-1.30.jar
+   The vulnerability is not impacting smp.war,
+   because is part of spring boot - intended only for demo and testing. Also Yaml configuration is not exposed
+   to external users.
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
        <cve>CVE-2022-1471</cve>
@@ -56,13 +75,18 @@
    <suppress>
        <notes><![CDATA[
   file name: jackson-databind-2.15.2.jar
+   The vulnerability is not exploitable by SMP usage of the library.
+   NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing
+   a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
        <cve>CVE-2023-35116</cve>
    </suppress>
    <suppress>
-        <notes><![CDATA[Only for demo and testing
+        <notes><![CDATA[
   file name: tomcat-embed-websocket-9.0.x.jar
+   The vulnerability is not impacting smp.war,
+   because is part of spring boot - intended only for demo and testing.
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.tomcat\.embed/tomcat\-embed\-websocket@.*$</packageUrl>
        <cve>CVE-2023-41080</cve>
@@ -70,7 +94,7 @@
    <suppress>
        <notes><![CDATA[
   file name: dom4j-2.1.3/4.jar
-    Used internally by hibernate-envers
+    Used internally by hibernate-envers not exposed to external users/attackers
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.dom4j/dom4j@.*$</packageUrl>
        <cve>CVE-2023-45960</cve>
@@ -78,9 +102,9 @@
    <suppress>
        <notes><![CDATA[
   file name: bdmsl-webapp.war: dom4j-2.1.3.jar
-      Used internally by hibernate-envers
+      Used internally by hibernate-envers not exposed to external users/attackers
   ]]></notes>
        <sha1>a75914155a9f5808963170ec20653668a2ffd2fd</sha1>
        <cve>CVE-2023-45960</cve>
-    </suppress>
+    </suppress -->
 </suppressions>