|
|
@@ -0,0 +1,190 @@ |
|
|
|
<?xml version="1.0" encoding="UTF-8"?> |
|
|
|
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd"> |
|
|
|
|
|
|
|
<!-- |
|
|
|
This file lists the false-positives (the vulnerabilities that can not be exploited) |
|
|
|
--> |
|
|
|
|
|
|
|
<suppress> |
|
|
|
<!-- |
|
|
|
Elasticsearch API key service is not enabled. |
|
|
|
See https://discuss.elastic.co/t/elastic-stack-6-8-4-security-update/204908 |
|
|
|
Fixed in Elasticsearch 6.8.4 |
|
|
|
--> |
|
|
|
<cve>CVE-2019-7619</cve> |
|
|
|
<cve>CVE-2020-7009</cve> |
|
|
|
<cve>CVE-2020-7014</cve> |
|
|
|
|
|
|
|
<!-- |
|
|
|
Elasticsearch field level security feature is not used. |
|
|
|
See https://www.elastic.co/guide/en/elasticsearch/reference/current/field-level-security.html |
|
|
|
and https://discuss.elastic.co/t/elastic-stack-7-9-0-and-6-8-12-security-update/245456 |
|
|
|
Fixed in Elasticsearch 6.8.12 |
|
|
|
--> |
|
|
|
<cve>CVE-2020-7019</cve> |
|
|
|
|
|
|
|
<!-- |
|
|
|
The vulnerability is about multiple users submitting requests to Elasticsearch. It's not |
|
|
|
a false-positive because requests are sent anonymously. Authentication is disabled. |
|
|
|
Fixed in Elasticsearch 6.8.2 |
|
|
|
--> |
|
|
|
<cve>CVE-2019-7614</cve> |
|
|
|
|
|
|
|
<!-- |
|
|
|
Jenkins plugin - fixed in v2.8.1 |
|
|
|
See https://www.jenkins.io/security/advisory/2018-09-25/#SECURITY-1163CVE-2018-20200 and |
|
|
|
https://jira.sonarsource.com/browse/SONARJNKNS-301 |
|
|
|
--> |
|
|
|
<cve>CVE-2018-1000425</cve> |
|
|
|
|
|
|
|
<!-- |
|
|
|
Irrelevant exploit in OkHttp. It requires to control the server and to allow sniffing network traffic! |
|
|
|
Obfuscating the code makes the documentation of the CVE impossible to apply. |
|
|
|
See https://github.com/square/okhttp/issues/4967 and https://github.com/boclips/videos/commit/9f6c5ba96063f14fb6033f4f6efa6caf3c2701bd |
|
|
|
--> |
|
|
|
<cve>CVE-2018-20200</cve> |
|
|
|
|
|
|
|
<!-- |
|
|
|
Vulnerability in the Spring version embedded into sonar-security-java-frontend-plugin. Fixed in 8.4. |
|
|
|
See https://jira.sonarsource.com/browse/SONARSEC-1189 and https://nvd.nist.gov/vuln/detail/CVE-2020-5398 |
|
|
|
--> |
|
|
|
<cve>CVE-2020-5398</cve> |
|
|
|
|
|
|
|
<!-- |
|
|
|
Log4J SMTP Appender is not enabled, so the vulnerability is not exploitable. |
|
|
|
See https://nvd.nist.gov/vuln/detail/CVE-2020-9488 |
|
|
|
--> |
|
|
|
<cve>CVE-2020-9488</cve> |
|
|
|
|
|
|
|
<!-- |
|
|
|
SnakeYML vulnerability if the Elasticsearch YML configuration files have too many recursive aliases. |
|
|
|
Fixed in SnakeYML 1.26. |
|
|
|
Not exploitable because the file elasticsearch/config/*.yml are not supposed to be edited outside the build. |
|
|
|
https://bitbucket.org/asomov/snakeyaml/issues/377/allow-configuration-for-preventing-billion |
|
|
|
https://en.wikipedia.org/wiki/Billion_laughs_attack |
|
|
|
--> |
|
|
|
<cve>CVE-2017-18640</cve> |
|
|
|
|
|
|
|
<!-- |
|
|
|
These 2 CVEs were opened in 2007, without any resolution. It's apparently about OpenID which |
|
|
|
is not safe by design. |
|
|
|
Anyway OpenID is not used. Microsoft authentication relies on OpenID Connect and OAuth 2.0. |
|
|
|
See MSAL https://docs.microsoft.com/en-us/azure/active-directory/develop/migrate-adal-msal-java |
|
|
|
--> |
|
|
|
<cve>CVE-2007-1651</cve> |
|
|
|
<cve>CVE-2007-1652</cve> |
|
|
|
|
|
|
|
<!-- |
|
|
|
This is a Suse packaging issue, not a Tomcat one |
|
|
|
See https://nvd.nist.gov/vuln/detail/CVE-2020-8022 and https://lists.apache.org/thread.html/ra87ec20a0f4b226c81c7eed27e5d7433ccdc41e61a8da408a45f0fa1@%3Cusers.tomcat.apache.org%3E |
|
|
|
--> |
|
|
|
<cve>CVE-2020-8022</cve> |
|
|
|
|
|
|
|
<!-- |
|
|
|
Fixed in SQ 7.8. See https://jira.sonarsource.com/browse/SSF-74 |
|
|
|
--> |
|
|
|
<cve>CVE-2019-17579</cve> |
|
|
|
|
|
|
|
<!-- |
|
|
|
Fixed in SQ 7.4. See https://jira.sonarsource.com/browse/SONAR-11305 |
|
|
|
--> |
|
|
|
<cve>CVE-2018-19413</cve> |
|
|
|
</suppress> |
|
|
|
|
|
|
|
<suppress> |
|
|
|
<!-- |
|
|
|
false-positive - the OWASP tool considers SQ as being |
|
|
|
gitlab 8.0, which comes with many vulnerabilities! |
|
|
|
--> |
|
|
|
<filePath regex="true">.*build\.gradle</filePath> |
|
|
|
<cpe>cpe:/a:gitlab:gitlab</cpe> |
|
|
|
</suppress> |
|
|
|
|
|
|
|
<suppress> |
|
|
|
<!-- |
|
|
|
false-positive - the OWASP tool considers sonar-auth-gitlab@8.0-SNAPSHOT as being |
|
|
|
gitlab 8.0, which comes with many vulnerabilities! |
|
|
|
--> |
|
|
|
<filePath regex="true">.*sonar-auth-gitlab-8.*\.jar.*</filePath> |
|
|
|
<cpe>cpe:/a:gitlab:gitlab:8</cpe> |
|
|
|
</suppress> |
|
|
|
|
|
|
|
|
|
|
|
<suppress> |
|
|
|
<!-- |
|
|
|
The commons-compress 1.8 bundled with CSS analyzer is not used. Its vulnerabilities |
|
|
|
can't be exploited. |
|
|
|
Noise will be killed in https://github.com/SonarSource/sonar-css/issues/260 |
|
|
|
--> |
|
|
|
<filePath regex="true">.*sonar-css-plugin-1\.2.*\.jar.*</filePath> |
|
|
|
<cve>CVE-2019-12402</cve> |
|
|
|
</suppress> |
|
|
|
|
|
|
|
<suppress> |
|
|
|
<!-- |
|
|
|
false-positive - the OWASP tool considers sonar-ruby-plugin 1.7 as being |
|
|
|
ruby 1.7, which comes with many vulnerabilities! |
|
|
|
--> |
|
|
|
<packageUrl regex="true">pkg:maven/org\.sonarsource\.slang/sonar-ruby-plugin@1\..*</packageUrl> |
|
|
|
<cpe>cpe:/a:ruby-lang:ruby:1</cpe> |
|
|
|
</suppress> |
|
|
|
|
|
|
|
<suppress> |
|
|
|
<!-- |
|
|
|
false-positive - the OWASP tool considers sonar-scala-plugin 1.x as being |
|
|
|
scala 1.x, which come with many vulnerabilities |
|
|
|
--> |
|
|
|
<packageUrl regex="true">pkg:maven/org\.sonarsource\.slang/sonar-scala-plugin@1\..*</packageUrl> |
|
|
|
<cpe>cpe:/a:scala-lang:scala:1</cpe> |
|
|
|
</suppress> |
|
|
|
|
|
|
|
<suppress> |
|
|
|
<!-- JRuby dirgra 0.3 is unexpectedly considered as JRuby 0.3 --> |
|
|
|
<packageUrl regex="true">^pkg:maven/org\.jruby/dirgra@.*$</packageUrl> |
|
|
|
<cpe>cpe:/a:jruby:jruby</cpe> |
|
|
|
</suppress> |
|
|
|
|
|
|
|
<suppress> |
|
|
|
<!-- The sonar-scm-git-plugin 1.12 is unexpectedly considered as git 1.12 --> |
|
|
|
<packageUrl>pkg:maven/org.sonarsource.scm.git/sonar-scm-git-plugin@1.12.0.2034</packageUrl> |
|
|
|
<cpe>cpe:/a:git-scm:git</cpe> |
|
|
|
</suppress> |
|
|
|
|
|
|
|
<suppress> |
|
|
|
<!-- |
|
|
|
The Java JSON libraries are unexpectedly considered as JS libraries suffering from |
|
|
|
the json node module vulnerabilities. |
|
|
|
--> |
|
|
|
<packageUrl regex="true">^pkg:maven/.*$</packageUrl> |
|
|
|
<cpe>cpe:/a:json_project:json</cpe> |
|
|
|
</suppress> |
|
|
|
|
|
|
|
<suppress> |
|
|
|
<!-- |
|
|
|
This Guava vulnerability is not exploitable in the ABAP analyzer. |
|
|
|
However it's planned to kill the noise: |
|
|
|
https://jira.sonarsource.com/browse/SONARABAP-421 |
|
|
|
--> |
|
|
|
<filePath regex="true">.*com\.sonarsource\.abap/sonar-abap-plugin.*</filePath> |
|
|
|
<cve>CVE-2018-10237</cve> |
|
|
|
</suppress> |
|
|
|
|
|
|
|
<suppress> |
|
|
|
<!-- |
|
|
|
This Guava vulnerability is not exploitable in the PLSQL analyzer. |
|
|
|
However it's planned to kill the noise: |
|
|
|
https://jira.sonarsource.com/browse/SONARPLSQL-738 |
|
|
|
--> |
|
|
|
<filePath regex="true">.*com\.sonarsource\.plsql/sonar-plsql-plugin/3\.4.*</filePath> |
|
|
|
<cve>CVE-2018-10237</cve> |
|
|
|
</suppress> |
|
|
|
|
|
|
|
<suppress> |
|
|
|
<!-- |
|
|
|
False-positive - the subproject agentproxy |
|
|
|
is considered as being the JCraft project. |
|
|
|
--> |
|
|
|
<packageUrl regex="true">pkg:maven/com\.jcraft/jsch\.agentproxy\..*@0.0.7</packageUrl> |
|
|
|
<cve>CVE-2016-5725</cve> |
|
|
|
</suppress> |
|
|
|
</suppressions> |