+++ /dev/null
-<?xml version="1.0" encoding="UTF-8"?>
-<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-
- <!--
- This file lists the false-positives (the vulnerabilities that can not be exploited)
- -->
-
- <suppress>
- <!--
- Elasticsearch API key service is not enabled.
- See https://discuss.elastic.co/t/elastic-stack-6-8-4-security-update/204908
- Fixed in Elasticsearch 6.8.4
- -->
- <cve>CVE-2019-7619</cve>
- <cve>CVE-2020-7009</cve>
- <cve>CVE-2020-7014</cve>
-
- <!--
- Elasticsearch field level security feature is not used.
- See https://www.elastic.co/guide/en/elasticsearch/reference/current/field-level-security.html
- and https://discuss.elastic.co/t/elastic-stack-7-9-0-and-6-8-12-security-update/245456
- Fixed in Elasticsearch 6.8.12
- -->
- <cve>CVE-2020-7019</cve>
-
- <!--
- The vulnerability is about multiple users submitting requests to Elasticsearch. It's not
- a false-positive because requests are sent anonymously. Authentication is disabled.
- Fixed in Elasticsearch 6.8.2
- -->
- <cve>CVE-2019-7614</cve>
-
- <!--
- Jenkins plugin - fixed in v2.8.1
- See https://www.jenkins.io/security/advisory/2018-09-25/#SECURITY-1163CVE-2018-20200 and
- https://jira.sonarsource.com/browse/SONARJNKNS-301
- -->
- <cve>CVE-2018-1000425</cve>
-
- <!--
- Irrelevant exploit in OkHttp. It requires to control the server and to allow sniffing network traffic!
- Obfuscating the code makes the documentation of the CVE impossible to apply.
- See https://github.com/square/okhttp/issues/4967 and https://github.com/boclips/videos/commit/9f6c5ba96063f14fb6033f4f6efa6caf3c2701bd
- -->
- <cve>CVE-2018-20200</cve>
-
- <!--
- Vulnerability in the Spring version embedded into sonar-security-java-frontend-plugin. Fixed in 8.4.
- See https://jira.sonarsource.com/browse/SONARSEC-1189 and https://nvd.nist.gov/vuln/detail/CVE-2020-5398
- -->
- <cve>CVE-2020-5398</cve>
-
- <!--
- Log4J SMTP Appender is not enabled, so the vulnerability is not exploitable.
- See https://nvd.nist.gov/vuln/detail/CVE-2020-9488
- -->
- <cve>CVE-2020-9488</cve>
-
- <!--
- SnakeYML vulnerability if the Elasticsearch YML configuration files have too many recursive aliases.
- Fixed in SnakeYML 1.26.
- Not exploitable because the file elasticsearch/config/*.yml are not supposed to be edited outside the build.
- https://bitbucket.org/asomov/snakeyaml/issues/377/allow-configuration-for-preventing-billion
- https://en.wikipedia.org/wiki/Billion_laughs_attack
- -->
- <cve>CVE-2017-18640</cve>
-
- <!--
- These 2 CVEs were opened in 2007, without any resolution. It's apparently about OpenID which
- is not safe by design.
- Anyway OpenID is not used. Microsoft authentication relies on OpenID Connect and OAuth 2.0.
- See MSAL https://docs.microsoft.com/en-us/azure/active-directory/develop/migrate-adal-msal-java
- -->
- <cve>CVE-2007-1651</cve>
- <cve>CVE-2007-1652</cve>
-
- <!--
- This is a Suse packaging issue, not a Tomcat one
- See https://nvd.nist.gov/vuln/detail/CVE-2020-8022 and https://lists.apache.org/thread.html/ra87ec20a0f4b226c81c7eed27e5d7433ccdc41e61a8da408a45f0fa1@%3Cusers.tomcat.apache.org%3E
- -->
- <cve>CVE-2020-8022</cve>
-
- <!--
- Fixed in SQ 7.8. See https://jira.sonarsource.com/browse/SSF-74
- -->
- <cve>CVE-2019-17579</cve>
-
- <!--
- Fixed in SQ 7.4. See https://jira.sonarsource.com/browse/SONAR-11305
- -->
- <cve>CVE-2018-19413</cve>
- </suppress>
-
- <suppress>
- <!--
- false-positive - the OWASP tool considers SQ as being
- gitlab 8.0, which comes with many vulnerabilities!
- -->
- <filePath regex="true">.*build\.gradle</filePath>
- <cpe>cpe:/a:gitlab:gitlab</cpe>
- </suppress>
-
- <suppress>
- <!--
- false-positive - the OWASP tool considers sonar-auth-gitlab@8.0-SNAPSHOT as being
- gitlab 8.0, which comes with many vulnerabilities!
- -->
- <filePath regex="true">.*sonar-auth-gitlab-8.*\.jar.*</filePath>
- <cpe>cpe:/a:gitlab:gitlab:8</cpe>
- </suppress>
-
-
- <suppress>
- <!--
- The commons-compress 1.8 bundled with CSS analyzer is not used. Its vulnerabilities
- can't be exploited.
- Noise will be killed in https://github.com/SonarSource/sonar-css/issues/260
- -->
- <filePath regex="true">.*sonar-css-plugin-1\.2.*\.jar.*</filePath>
- <cve>CVE-2019-12402</cve>
- </suppress>
-
- <suppress>
- <!--
- false-positive - the OWASP tool considers sonar-ruby-plugin 1.7 as being
- ruby 1.7, which comes with many vulnerabilities!
- -->
- <packageUrl regex="true">pkg:maven/org\.sonarsource\.slang/sonar-ruby-plugin@1\..*</packageUrl>
- <cpe>cpe:/a:ruby-lang:ruby:1</cpe>
- </suppress>
-
- <suppress>
- <!--
- false-positive - the OWASP tool considers sonar-scala-plugin 1.x as being
- scala 1.x, which come with many vulnerabilities
- -->
- <packageUrl regex="true">pkg:maven/org\.sonarsource\.slang/sonar-scala-plugin@1\..*</packageUrl>
- <cpe>cpe:/a:scala-lang:scala:1</cpe>
- </suppress>
-
- <suppress>
- <!-- JRuby dirgra 0.3 is unexpectedly considered as JRuby 0.3 -->
- <packageUrl regex="true">^pkg:maven/org\.jruby/dirgra@.*$</packageUrl>
- <cpe>cpe:/a:jruby:jruby</cpe>
- </suppress>
-
- <suppress>
- <!-- The sonar-scm-git-plugin 1.12 is unexpectedly considered as git 1.12 -->
- <packageUrl>pkg:maven/org.sonarsource.scm.git/sonar-scm-git-plugin@1.12.0.2034</packageUrl>
- <cpe>cpe:/a:git-scm:git</cpe>
- </suppress>
-
- <suppress>
- <!--
- The Java JSON libraries are unexpectedly considered as JS libraries suffering from
- the json node module vulnerabilities.
- -->
- <packageUrl regex="true">^pkg:maven/.*$</packageUrl>
- <cpe>cpe:/a:json_project:json</cpe>
- </suppress>
-
- <suppress>
- <!--
- This Guava vulnerability is not exploitable in the ABAP analyzer.
- However it's planned to kill the noise:
- https://jira.sonarsource.com/browse/SONARABAP-421
- -->
- <filePath regex="true">.*com\.sonarsource\.abap/sonar-abap-plugin.*</filePath>
- <cve>CVE-2018-10237</cve>
- </suppress>
-
- <suppress>
- <!--
- This Guava vulnerability is not exploitable in the PLSQL analyzer.
- However it's planned to kill the noise:
- https://jira.sonarsource.com/browse/SONARPLSQL-738
- -->
- <filePath regex="true">.*com\.sonarsource\.plsql/sonar-plsql-plugin/3\.4.*</filePath>
- <cve>CVE-2018-10237</cve>
- </suppress>
-
- <suppress>
- <!--
- False-positive - the subproject agentproxy
- is considered as being the JCraft project.
- -->
- <packageUrl regex="true">pkg:maven/com\.jcraft/jsch\.agentproxy\..*@0.0.7</packageUrl>
- <cve>CVE-2016-5725</cve>
- </suppress>
-
- <suppress>
- <notes>
- <![CDATA[
- file name: alm-gallery-client-1.0.2.jar will be matched to a wrong cpe string
- ]]>
- </notes>
- <packageUrl regex="true">^pkg:maven/com\.sonarsource\.vsts/alm\-gallery\-client@.*$</packageUrl>
- <cpe>cpe:/a:gallery:gallery</cpe>
- </suppress>
-
- <!-- False Positive: Version of kotlin lib is not vulnerable to this CVE -->
- <suppress>
- <notes><![CDATA[
- file name: kotlin-stdlib-common-1.4.10.jar
- ]]></notes>
- <packageUrl regex="true">^pkg:maven/org\.jetbrains\.kotlin/kotlin\-stdlib(\-common)?@1.4.10$</packageUrl>
- <cve>CVE-2020-15824</cve>
- </suppress>
-
- <!-- False Positive: The CVE is for hazelcast:1.8.0 not hazelcast-client-protocol -->
- <suppress>
- <notes><![CDATA[
- file name: hazelcast-3.12.9.jar (shaded: com.hazelcast:hazelcast-client-protocol:1.8.0)
- ]]></notes>
- <packageUrl regex="true">^pkg:maven/com\.hazelcast/hazelcast\-client\-protocol@.*$</packageUrl>
- <cve>CVE-2016-10750</cve>
- </suppress>
-</suppressions>
projects / sonarqube.git / commitdiff