From 026fd8ca5a131a0e470f47ded11f3b3ec2f62142 Mon Sep 17 00:00:00 2001
From: RIHTARSIC Joze <joze.rihtarsic@ext.ec.europa.eu>
Date: Fri, 8 Dec 2023 10:53:51 +0100
Subject: [PATCH] Upgrade libraries and plugins

---
 owasp-false-positive-warnings.xml | 36 +++++++++++++++++++++++++------
 1 file changed, 30 insertions(+), 6 deletions(-)

diff --git a/owasp-false-positive-warnings.xml b/owasp-false-positive-warnings.xml
index 86117b97b..e3801b29e 100644
--- a/owasp-false-positive-warnings.xml
+++ b/owasp-false-positive-warnings.xml
@@ -3,9 +3,11 @@
               xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd"
               xsi:schemaLocation="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd
               https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-    <suppress>
+    <!--suppress>
         <notes><![CDATA[
    file name: spring-security-crypto-5.8.*.jar
+   The data serialized by the application is trusted
+   NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
    ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-crypto@.*$</packageUrl>
         <vulnerabilityName>CVE-2020-5408</vulnerabilityName>
@@ -14,6 +16,7 @@
     <suppress>
         <notes><![CDATA[
    file name: spring-web-5.3.*.jar
+   CVE-2016-1000027 - The data serialized by the application are from authenticated users and trusted
    ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.springframework/spring\-(web|core)@.*$</packageUrl>
         <cve>CVE-2016-1000027</cve>
@@ -22,6 +25,8 @@
     <suppress>
         <notes><![CDATA[
    file name: smp.war: spring-core-5.3.31.jar
+   The data serialized by the application are from authenticated users and trusted
+   NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
    ]]></notes>
         <sha1>368e76f732a3c331b970f69cafec1525d27b34d3</sha1>
         <cve>CVE-2016-1000027</cve>
@@ -35,6 +40,17 @@
     <suppress>
         <notes><![CDATA[
    file name: guava-30.1-jre.jar
+   CVE-2020-8908 -  we don't use com.google.common.io.Files.createTempDir()
+   CVE-2023-2976 - we don't use FileBackedOutputStream
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
+        <cve>CVE-2020-8908</cve>
+        <cve>CVE-2023-2976</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+        CVE-2020-8908 -  we don't use com.google.common.io.Files.createTempDir()
+        CVE-2023-2976 - we don't use FileBackedOutputStream
    ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
         <vulnerabilityName>CVE-2020-8908</vulnerabilityName>
@@ -42,7 +58,10 @@
     </suppress>
     <suppress>
         <notes><![CDATA[
-   file name: snakeyaml-1.30.jar part of spring boot - just for demo and testing
+   file name: snakeyaml-1.30.jar
+   The vulnerability is not impacting smp.war,
+   because is part of spring boot - intended only for demo and testing. Also Yaml configuration is not exposed
+   to external users.
    ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
         <cve>CVE-2022-1471</cve>
@@ -56,13 +75,18 @@
     <suppress>
         <notes><![CDATA[
    file name: jackson-databind-2.15.2.jar
+   The vulnerability is not exploitable by SMP usage of the library.
+   NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing
+   a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.
    ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
         <cve>CVE-2023-35116</cve>
     </suppress>
     <suppress>
-        <notes><![CDATA[Only for demo and testing
+        <notes><![CDATA[
    file name: tomcat-embed-websocket-9.0.x.jar
+   The vulnerability is not impacting smp.war,
+   because is part of spring boot - intended only for demo and testing.
    ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.apache\.tomcat\.embed/tomcat\-embed\-websocket@.*$</packageUrl>
         <cve>CVE-2023-41080</cve>
@@ -70,7 +94,7 @@
     <suppress>
         <notes><![CDATA[
    file name: dom4j-2.1.3/4.jar
-    Used internally by hibernate-envers
+    Used internally by hibernate-envers not exposed to external users/attackers
    ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.dom4j/dom4j@.*$</packageUrl>
         <cve>CVE-2023-45960</cve>
@@ -78,9 +102,9 @@
     <suppress>
         <notes><![CDATA[
    file name: bdmsl-webapp.war: dom4j-2.1.3.jar
-      Used internally by hibernate-envers
+      Used internally by hibernate-envers not exposed to external users/attackers
    ]]></notes>
         <sha1>a75914155a9f5808963170ec20653668a2ffd2fd</sha1>
         <cve>CVE-2023-45960</cve>
-    </suppress>
+    </suppress -->
 </suppressions>
-- 
GitLab