<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd"
xsi:schemaLocation="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd
https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress>
<notes><![CDATA[
file name: spring-security-crypto-5.8.*.jar
The data serialized by the application is trusted
NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-crypto@.*$</packageUrl>
<vulnerabilityName>CVE-2020-5408</vulnerabilityName>
<cve>CVE-2018-1258</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: spring-web-5.3.*.jar
CVE-2016-1000027 - The data serialized by the application are from authenticated users and trusted
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework/spring\-(web|core)@.*$</packageUrl>
<cve>CVE-2016-1000027</cve>
<cve>CVE-2018-1258</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: smp.war: spring-core-5.3.31.jar
The data serialized by the application are from authenticated users and trusted
NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
]]></notes>
<cve>CVE-2016-1000027</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: smp.war: spring-security-*.jar
]]></notes>
<cve>CVE-2018-1258</cve>
</suppress>
<suppress>
<notes><![CDATA[
CVE-2020-8908 - we don't use com.google.common.io.Files.createTempDir()
CVE-2023-2976 - we don't use FileBackedOutputStream
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
<vulnerabilityName>CVE-2020-8908</vulnerabilityName>
<vulnerabilityName>CVE-2023-2976</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
file name: snakeyaml-1.30.jar
The vulnerability is not impacting smp.war,
because is part of spring boot - intended only for demo and testing. Also Yaml configuration is not exposed
to external users.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
<cve>CVE-2022-1471</cve>
<cve>CVE-2022-25857</cve>
<cve>CVE-2022-38749</cve>
<cve>CVE-2022-38751</cve>
<cve>CVE-2022-38752</cve>
<cve>CVE-2022-41854</cve>
<cve>CVE-2022-38750</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: jackson-databind-2.15.2.jar
The vulnerability is not exploitable by SMP usage of the library.
NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing
a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
<cve>CVE-2023-35116</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: tomcat-embed-websocket-9.0.x.jar
The vulnerability is not impacting smp.war,
because is part of spring boot - intended only for demo and testing.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.tomcat\.embed/tomcat\-embed\-websocket@.*$</packageUrl>
<cve>CVE-2023-41080</cve>
</suppress>
<suppress>
<notes><![CDATA[
File name: joda-time-2.x
This is transitive library of the 2WaySec, WSS4J 2.4.x: Check if this is needed when using WSS4J is upgrades
and is not directly used by the 2waySSL library.
NOTE: Currently the latest version 2.12.7 still report the same issue.
This is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability.
]]></notes>
<packageUrl regex="true">^pkg:maven/joda\-time/joda\-time@.*$</packageUrl>
<vulnerabilityName>CVE-2024-23080</vulnerabilityName>
</suppress>
</suppressions>