-
-
Notifications
You must be signed in to change notification settings - Fork 114
/
.nvd-suppressions.xml
38 lines (32 loc) · 1.33 KB
/
.nvd-suppressions.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress>
<notes><![CDATA[
file name: jackson-databind-2.15.2.jar
This is only triggered if you feed jackson circular input. See
https://github.com/FasterXML/jackson-databind/issues/3972.
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
<cve>CVE-2023-35116</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: snakeyaml-1.33.jar
This only impacts deserialization, and we only serialize yaml. We would have
to upgrade to SnakeYAML 2.0 to address this, and we use SnakeYAML via
ring-middleware-format, which does not support v2.0.
See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in
for a discussion of the CVE.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
<cve>CVE-2022-1471</cve>
</suppress>
<suppress>
<notes><![CDATA[
This CVE only impacts programs using Clojure < 1.9.0, and gets reported for any jar
that has a lower Clojure in its pom, even if the project being checked is using a
newer Clojure (as we are).
]]></notes>
<cve>CVE-2017-20189</cve>
</suppress>
</suppressions>