From 53de04965d795e18c1192a0032f4c0376af49917 Mon Sep 17 00:00:00 2001
From: Malena Ebert <malena.ebert@sonarsource.com>
Date: Mon, 2 Nov 2020 10:53:22 +0100
Subject: [PATCH] Move OWASP suppression files to private folder

---
 build.gradle              |   2 +-
 owasp-suppressions.xml    | 218 --------------------------------------
 owasp-vulnerabilities.xml |  35 ------
 3 files changed, 1 insertion(+), 254 deletions(-)
 delete mode 100644 owasp-suppressions.xml
 delete mode 100644 owasp-vulnerabilities.xml

diff --git a/build.gradle b/build.gradle
index 1d06b6f6490..850f58793ff 100644
--- a/build.gradle
+++ b/build.gradle
@@ -55,7 +55,7 @@ dependencyCheck {
   format = 'ALL'
   junitFailOnCVSS = 0
   failBuildOnCVSS = 0
-  suppressionFiles = ["${project.rootDir}/owasp-suppressions.xml", "${project.rootDir}/owasp-vulnerabilities.xml"]
+  suppressionFiles = ["${project.rootDir}/private/owasp/suppressions.xml", "${project.rootDir}/private/owasp/vulnerabilities.xml"]
   skipProjects = project.subprojects
       .findAll {it.name.contains('testing') ||
           it.name.startsWith('it-') ||
diff --git a/owasp-suppressions.xml b/owasp-suppressions.xml
deleted file mode 100644
index f2ee8bf0694..00000000000
--- a/owasp-suppressions.xml
+++ /dev/null
@@ -1,218 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-
-  <!--
-  This file lists the false-positives (the vulnerabilities that can not be exploited)
-  -->
-
-  <suppress>
-    <!--
-      Elasticsearch API key service is not enabled.
-      See https://discuss.elastic.co/t/elastic-stack-6-8-4-security-update/204908
-      Fixed in Elasticsearch 6.8.4
-    -->
-    <cve>CVE-2019-7619</cve>
-    <cve>CVE-2020-7009</cve>
-    <cve>CVE-2020-7014</cve>
-
-    <!--
-      Elasticsearch field level security feature is not used.
-      See https://www.elastic.co/guide/en/elasticsearch/reference/current/field-level-security.html
-      and https://discuss.elastic.co/t/elastic-stack-7-9-0-and-6-8-12-security-update/245456
-      Fixed in Elasticsearch 6.8.12
-    -->
-    <cve>CVE-2020-7019</cve>
-
-    <!--
-      The vulnerability is about multiple users submitting requests to Elasticsearch. It's not
-      a false-positive because requests are sent anonymously. Authentication is disabled.
-      Fixed in Elasticsearch 6.8.2
-    -->
-    <cve>CVE-2019-7614</cve>
-
-    <!--
-    Jenkins plugin - fixed in v2.8.1
-    See https://www.jenkins.io/security/advisory/2018-09-25/#SECURITY-1163CVE-2018-20200 and
-    https://jira.sonarsource.com/browse/SONARJNKNS-301
-     -->
-    <cve>CVE-2018-1000425</cve>
-
-    <!--
-    Irrelevant exploit in OkHttp. It requires to control the server and to allow sniffing network traffic!
-    Obfuscating the code makes the documentation of the CVE impossible to apply.
-    See https://github.com/square/okhttp/issues/4967 and https://github.com/boclips/videos/commit/9f6c5ba96063f14fb6033f4f6efa6caf3c2701bd
-    -->
-    <cve>CVE-2018-20200</cve>
-
-    <!--
-    Vulnerability in the Spring version embedded into sonar-security-java-frontend-plugin. Fixed in 8.4.
-    See https://jira.sonarsource.com/browse/SONARSEC-1189 and https://nvd.nist.gov/vuln/detail/CVE-2020-5398
-    -->
-    <cve>CVE-2020-5398</cve>
-
-    <!--
-    Log4J SMTP Appender is not enabled, so the vulnerability is not exploitable.
-    See https://nvd.nist.gov/vuln/detail/CVE-2020-9488
-    -->
-    <cve>CVE-2020-9488</cve>
-
-    <!--
-    SnakeYML vulnerability if the Elasticsearch YML configuration files have too many recursive aliases.
-    Fixed in SnakeYML 1.26.
-    Not exploitable because the file elasticsearch/config/*.yml are not supposed to be edited outside the build.
-    https://bitbucket.org/asomov/snakeyaml/issues/377/allow-configuration-for-preventing-billion
-    https://en.wikipedia.org/wiki/Billion_laughs_attack
-    -->
-    <cve>CVE-2017-18640</cve>
-
-    <!--
-    These 2 CVEs were opened in 2007, without any resolution. It's apparently about OpenID which
-    is not safe by design.
-    Anyway OpenID is not used. Microsoft authentication relies on OpenID Connect and OAuth 2.0.
-    See MSAL https://docs.microsoft.com/en-us/azure/active-directory/develop/migrate-adal-msal-java
-    -->
-    <cve>CVE-2007-1651</cve>
-    <cve>CVE-2007-1652</cve>
-
-    <!--
-    This is a Suse packaging issue, not a Tomcat one
-    See https://nvd.nist.gov/vuln/detail/CVE-2020-8022 and https://lists.apache.org/thread.html/ra87ec20a0f4b226c81c7eed27e5d7433ccdc41e61a8da408a45f0fa1@%3Cusers.tomcat.apache.org%3E
-    -->
-    <cve>CVE-2020-8022</cve>
-
-    <!--
-    Fixed in SQ 7.8. See https://jira.sonarsource.com/browse/SSF-74
-    -->
-    <cve>CVE-2019-17579</cve>
-
-    <!--
-    Fixed in SQ 7.4. See https://jira.sonarsource.com/browse/SONAR-11305
-    -->
-    <cve>CVE-2018-19413</cve>
-  </suppress>
-
-  <suppress>
-    <!--
-    false-positive - the OWASP tool considers SQ as being
-    gitlab 8.0, which comes with many vulnerabilities!
-    -->
-    <filePath regex="true">.*build\.gradle</filePath>
-    <cpe>cpe:/a:gitlab:gitlab</cpe>
-  </suppress>
-
-  <suppress>
-    <!--
-    false-positive - the OWASP tool considers sonar-auth-gitlab@8.0-SNAPSHOT as being
-    gitlab 8.0, which comes with many vulnerabilities!
-    -->
-    <filePath regex="true">.*sonar-auth-gitlab-8.*\.jar.*</filePath>
-    <cpe>cpe:/a:gitlab:gitlab:8</cpe>
-  </suppress>
-
-
-  <suppress>
-    <!--
-    The commons-compress 1.8 bundled with CSS analyzer is not used. Its vulnerabilities
-    can't be exploited.
-    Noise will be killed in https://github.com/SonarSource/sonar-css/issues/260
-    -->
-    <filePath regex="true">.*sonar-css-plugin-1\.2.*\.jar.*</filePath>
-    <cve>CVE-2019-12402</cve>
-  </suppress>
-
-  <suppress>
-    <!--
-    false-positive - the OWASP tool considers sonar-ruby-plugin 1.7 as being
-    ruby 1.7, which comes with many vulnerabilities!
-    -->
-    <packageUrl regex="true">pkg:maven/org\.sonarsource\.slang/sonar-ruby-plugin@1\..*</packageUrl>
-    <cpe>cpe:/a:ruby-lang:ruby:1</cpe>
-  </suppress>
-
-  <suppress>
-    <!--
-    false-positive - the OWASP tool considers sonar-scala-plugin 1.x as being
-    scala 1.x, which come with many vulnerabilities
-    -->
-    <packageUrl regex="true">pkg:maven/org\.sonarsource\.slang/sonar-scala-plugin@1\..*</packageUrl>
-    <cpe>cpe:/a:scala-lang:scala:1</cpe>
-  </suppress>
-
-  <suppress>
-    <!-- JRuby dirgra 0.3 is unexpectedly considered as JRuby 0.3 -->
-    <packageUrl regex="true">^pkg:maven/org\.jruby/dirgra@.*$</packageUrl>
-    <cpe>cpe:/a:jruby:jruby</cpe>
-  </suppress>
-
-  <suppress>
-    <!-- The sonar-scm-git-plugin 1.12 is unexpectedly considered as git 1.12 -->
-    <packageUrl>pkg:maven/org.sonarsource.scm.git/sonar-scm-git-plugin@1.12.0.2034</packageUrl>
-    <cpe>cpe:/a:git-scm:git</cpe>
-  </suppress>
-
-  <suppress>
-    <!--
-    The Java JSON libraries are unexpectedly considered as JS libraries suffering from
-    the json node module vulnerabilities.
-    -->
-    <packageUrl regex="true">^pkg:maven/.*$</packageUrl>
-    <cpe>cpe:/a:json_project:json</cpe>
-  </suppress>
-
-  <suppress>
-    <!--
-    This Guava vulnerability is not exploitable in the ABAP analyzer.
-    However it's planned to kill the noise:
-    https://jira.sonarsource.com/browse/SONARABAP-421
-    -->
-    <filePath regex="true">.*com\.sonarsource\.abap/sonar-abap-plugin.*</filePath>
-    <cve>CVE-2018-10237</cve>
-  </suppress>
-
-  <suppress>
-    <!--
-    This Guava vulnerability is not exploitable in the PLSQL analyzer.
-    However it's planned to kill the noise:
-    https://jira.sonarsource.com/browse/SONARPLSQL-738
-    -->
-    <filePath regex="true">.*com\.sonarsource\.plsql/sonar-plsql-plugin/3\.4.*</filePath>
-    <cve>CVE-2018-10237</cve>
-  </suppress>
-
-  <suppress>
-    <!--
-    False-positive - the subproject agentproxy
-    is considered as being the JCraft project.
-    -->
-    <packageUrl regex="true">pkg:maven/com\.jcraft/jsch\.agentproxy\..*@0.0.7</packageUrl>
-    <cve>CVE-2016-5725</cve>
-  </suppress>
-
-  <suppress>
-    <notes>
-      <![CDATA[
-        file name: alm-gallery-client-1.0.2.jar will be matched to a wrong cpe string
-      ]]>
-    </notes>
-    <packageUrl regex="true">^pkg:maven/com\.sonarsource\.vsts/alm\-gallery\-client@.*$</packageUrl>
-    <cpe>cpe:/a:gallery:gallery</cpe>
-  </suppress>
-  
-  <!-- False Positive: Version of kotlin lib is not vulnerable to this CVE -->
-  <suppress>
-   <notes><![CDATA[
-   file name: kotlin-stdlib-common-1.4.10.jar
-   ]]></notes>
-   <packageUrl regex="true">^pkg:maven/org\.jetbrains\.kotlin/kotlin\-stdlib(\-common)?@1.4.10$</packageUrl>
-   <cve>CVE-2020-15824</cve>
-  </suppress>
-  
-  <!-- False Positive: The CVE is for hazelcast:1.8.0 not hazelcast-client-protocol -->
-  <suppress>
-   <notes><![CDATA[
-   file name: hazelcast-3.12.9.jar (shaded: com.hazelcast:hazelcast-client-protocol:1.8.0)
-   ]]></notes>
-   <packageUrl regex="true">^pkg:maven/com\.hazelcast/hazelcast\-client\-protocol@.*$</packageUrl>
-   <cve>CVE-2016-10750</cve>
-  </suppress>
-</suppressions>
diff --git a/owasp-vulnerabilities.xml b/owasp-vulnerabilities.xml
deleted file mode 100644
index 1ca6b4655e5..00000000000
--- a/owasp-vulnerabilities.xml
+++ /dev/null
@@ -1,35 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-
-  <suppress>
-    <!--
-    Vulnerabilities in the SWIFT analyzer.
-    See https://jira.sonarsource.com/browse/SONARSWIFT-451
-    -->
-    <filePath regex="true">.*sonar-swift-plugin-4\.2.*\.jar.*</filePath>
-    <vulnerabilityName>Remote code execution</vulnerabilityName>
-    <cve>CVE-2015-6420</cve>
-    <cve>CVE-2017-15708</cve>
-  </suppress>
-
-  <suppress>
-    <!--
-    The version of Netty packaged with Elasticsearch 6.8.x suffers from a few vulnerabilities.
-    The latter are considered as low risk by the Elastic team. Upgrading Netty in Elasticsearch 6.8.x
-    is not planned. See https://github.com/elastic/elasticsearch/issues/49396
-    -->
-    <packageUrl regex="true">^pkg:maven/io\.netty/netty-.*@4\.1\.32.*$</packageUrl>
-    <cve>CVE-2019-16869</cve>
-    <cve>CVE-2019-20444</cve>
-    <cve>CVE-2019-20445</cve>
-    <cve>CVE-2020-11612</cve>
-  </suppress>
-
-  <suppress>
-    <!--
-    AssertJ should not be bundled with the Kotlin analyzer. Should be fixed in 1.6.
-    -->
-    <filePath regex="true">.*sonar-kotlin-plugin-1\.5.*\.jar.*</filePath>
-    <vulnerabilityName>CWE-476: NULL Pointer Dereference</vulnerabilityName>
-  </suppress>
-</suppressions>
-- 
2.39.5