From 808660633bc8bc170e201d8526b0719c2fd8c1a6 Mon Sep 17 00:00:00 2001
From: Malena Ebert <malena.ebert@sonarsource.com>
Date: Fri, 2 Oct 2020 16:31:29 +0200
Subject: [PATCH] Suppress false positive vulnerabilites

---
 owasp-suppressions.xml | 55 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)

diff --git a/owasp-suppressions.xml b/owasp-suppressions.xml
index f4e3114039a..fedf329fe11 100644
--- a/owasp-suppressions.xml
+++ b/owasp-suppressions.xml
@@ -187,4 +187,59 @@
     <packageUrl regex="true">pkg:maven/com\.jcraft/jsch\.agentproxy\..*@0.0.7</packageUrl>
     <cve>CVE-2016-5725</cve>
   </suppress>
+
+  <suppress>
+    <notes>
+      <![CDATA[
+        file name: alm-gallery-client-1.0.2.jar will be matched to a wrong cpe string
+      ]]>
+    </notes>
+    <packageUrl regex="true">^pkg:maven/com\.sonarsource\.vsts/alm\-gallery\-client@.*$</packageUrl>
+    <cpe>cpe:/a:gallery:gallery</cpe>
+  </suppress>
+  
+  <!-- False Positive: Version of kotlin lib is not vulnerable to this CVE -->
+  <suppress>
+   <notes><![CDATA[
+   file name: kotlin-stdlib-common-1.4.10.jar
+   ]]></notes>
+   <packageUrl regex="true">^pkg:maven/org\.jetbrains\.kotlin/kotlin\-stdlib(\-common)?@1.4.10$</packageUrl>
+   <cve>CVE-2020-15824</cve>
+  </suppress>
+  
+  <!-- False Positive: The CVE is for hazelcast:1.8.0 not hazelcast-client-protocol -->
+  <suppress>
+   <notes><![CDATA[
+   file name: hazelcast-3.12.9.jar (shaded: com.hazelcast:hazelcast-client-protocol:1.8.0)
+   ]]></notes>
+   <packageUrl regex="true">^pkg:maven/com\.hazelcast/hazelcast\-client\-protocol@.*$</packageUrl>
+   <cve>CVE-2016-10750</cve>
+  </suppress>
+
+  <suppress>
+   <notes><![CDATA[
+   file name: d3-zoom:1.7.3
+   ]]></notes>
+   <packageUrl regex="true">^pkg:npm/d3\-zoom@.*$</packageUrl>
+   <cpe>cpe:/a:zoom:zoom</cpe>
+  </suppress>
+
+  <suppress>
+   <notes><![CDATA[
+   file name: dompurify:1.0.11
+   ]]></notes>
+   <packageUrl regex="true">^pkg:npm/dompurify@.*$</packageUrl>
+   <cve>CVE-2019-16728</cve>
+   <vulnerabilityName>CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')</vulnerabilityName>
+  </suppress>
+
+  <suppress>
+   <notes><![CDATA[
+   file name: lodash:4.17.11
+   ]]></notes>
+   <packageUrl regex="true">^pkg:npm/lodash@.*$</packageUrl>
+   <cve>CVE-2019-10744</cve>
+   <cve>CVE-2020-8203</cve>
+   <vulnerabilityName>CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')</vulnerabilityName>
+  </suppress>
 </suppressions>
-- 
2.39.5