mirrors
/
sonarqube
mirror of https://github.com/SonarSource/sonarqube.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 237 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
30140 Commits
59 Branches
Tree: c5566b7b0e
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'c5566b7b0e'
${ noResults }
sonarqube/owasp-suppressions.xml

owasp-suppressions.xml 7.6KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218 
  1. <?xml version="1.0" encoding="UTF-8"?>

  2. <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">

  3. 

  4.   <!--

  5.   This file lists the false-positives (the vulnerabilities that can not be exploited)

  6.   -->

  7. 

  8.   <suppress>

  9.     <!--

  10.       Elasticsearch API key service is not enabled.

  11.       See https://discuss.elastic.co/t/elastic-stack-6-8-4-security-update/204908

  12.       Fixed in Elasticsearch 6.8.4

  13.     -->

  14.     <cve>CVE-2019-7619</cve>

  15.     <cve>CVE-2020-7009</cve>

  16.     <cve>CVE-2020-7014</cve>

  17. 

  18.     <!--

  19.       Elasticsearch field level security feature is not used.

  20.       See https://www.elastic.co/guide/en/elasticsearch/reference/current/field-level-security.html

  21.       and https://discuss.elastic.co/t/elastic-stack-7-9-0-and-6-8-12-security-update/245456

  22.       Fixed in Elasticsearch 6.8.12

  23.     -->

  24.     <cve>CVE-2020-7019</cve>

  25. 

  26.     <!--

  27.       The vulnerability is about multiple users submitting requests to Elasticsearch. It's not

  28.       a false-positive because requests are sent anonymously. Authentication is disabled.

  29.       Fixed in Elasticsearch 6.8.2

  30.     -->

  31.     <cve>CVE-2019-7614</cve>

  32. 

  33.     <!--

  34.     Jenkins plugin - fixed in v2.8.1

  35.     See https://www.jenkins.io/security/advisory/2018-09-25/#SECURITY-1163CVE-2018-20200 and

  36.     https://jira.sonarsource.com/browse/SONARJNKNS-301

  37.      -->

  38.     <cve>CVE-2018-1000425</cve>

  39. 

  40.     <!--

  41.     Irrelevant exploit in OkHttp. It requires to control the server and to allow sniffing network traffic!

  42.     Obfuscating the code makes the documentation of the CVE impossible to apply.

  43.     See https://github.com/square/okhttp/issues/4967 and https://github.com/boclips/videos/commit/9f6c5ba96063f14fb6033f4f6efa6caf3c2701bd

  44.     -->

  45.     <cve>CVE-2018-20200</cve>

  46. 

  47.     <!--

  48.     Vulnerability in the Spring version embedded into sonar-security-java-frontend-plugin. Fixed in 8.4.

  49.     See https://jira.sonarsource.com/browse/SONARSEC-1189 and https://nvd.nist.gov/vuln/detail/CVE-2020-5398

  50.     -->

  51.     <cve>CVE-2020-5398</cve>

  52. 

  53.     <!--

  54.     Log4J SMTP Appender is not enabled, so the vulnerability is not exploitable.

  55.     See https://nvd.nist.gov/vuln/detail/CVE-2020-9488

  56.     -->

  57.     <cve>CVE-2020-9488</cve>

  58. 

  59.     <!--

  60.     SnakeYML vulnerability if the Elasticsearch YML configuration files have too many recursive aliases.

  61.     Fixed in SnakeYML 1.26.

  62.     Not exploitable because the file elasticsearch/config/*.yml are not supposed to be edited outside the build.

  63.     https://bitbucket.org/asomov/snakeyaml/issues/377/allow-configuration-for-preventing-billion

  64.     https://en.wikipedia.org/wiki/Billion_laughs_attack

  65.     -->

  66.     <cve>CVE-2017-18640</cve>

  67. 

  68.     <!--

  69.     These 2 CVEs were opened in 2007, without any resolution. It's apparently about OpenID which

  70.     is not safe by design.

  71.     Anyway OpenID is not used. Microsoft authentication relies on OpenID Connect and OAuth 2.0.

  72.     See MSAL https://docs.microsoft.com/en-us/azure/active-directory/develop/migrate-adal-msal-java

  73.     -->

  74.     <cve>CVE-2007-1651</cve>

  75.     <cve>CVE-2007-1652</cve>

  76. 

  77.     <!--

  78.     This is a Suse packaging issue, not a Tomcat one

  79.     See https://nvd.nist.gov/vuln/detail/CVE-2020-8022 and https://lists.apache.org/thread.html/ra87ec20a0f4b226c81c7eed27e5d7433ccdc41e61a8da408a45f0fa1@%3Cusers.tomcat.apache.org%3E

  80.     -->

  81.     <cve>CVE-2020-8022</cve>

  82. 

  83.     <!--

  84.     Fixed in SQ 7.8. See https://jira.sonarsource.com/browse/SSF-74

  85.     -->

  86.     <cve>CVE-2019-17579</cve>

  87. 

  88.     <!--

  89.     Fixed in SQ 7.4. See https://jira.sonarsource.com/browse/SONAR-11305

  90.     -->

  91.     <cve>CVE-2018-19413</cve>

  92.   </suppress>

  93. 

  94.   <suppress>

  95.     <!--

  96.     false-positive - the OWASP tool considers SQ as being

  97.     gitlab 8.0, which comes with many vulnerabilities!

  98.     -->

  99.     <filePath regex="true">.*build\.gradle</filePath>

  100.     <cpe>cpe:/a:gitlab:gitlab</cpe>

  101.   </suppress>

  102. 

  103.   <suppress>

  104.     <!--

  105.     false-positive - the OWASP tool considers sonar-auth-gitlab@8.0-SNAPSHOT as being

  106.     gitlab 8.0, which comes with many vulnerabilities!

  107.     -->

  108.     <filePath regex="true">.*sonar-auth-gitlab-8.*\.jar.*</filePath>

  109.     <cpe>cpe:/a:gitlab:gitlab:8</cpe>

  110.   </suppress>

  111. 

  112. 

  113.   <suppress>

  114.     <!--

  115.     The commons-compress 1.8 bundled with CSS analyzer is not used. Its vulnerabilities

  116.     can't be exploited.

  117.     Noise will be killed in https://github.com/SonarSource/sonar-css/issues/260

  118.     -->

  119.     <filePath regex="true">.*sonar-css-plugin-1\.2.*\.jar.*</filePath>

  120.     <cve>CVE-2019-12402</cve>

  121.   </suppress>

  122. 

  123.   <suppress>

  124.     <!--

  125.     false-positive - the OWASP tool considers sonar-ruby-plugin 1.7 as being

  126.     ruby 1.7, which comes with many vulnerabilities!

  127.     -->

  128.     <packageUrl regex="true">pkg:maven/org\.sonarsource\.slang/sonar-ruby-plugin@1\..*</packageUrl>

  129.     <cpe>cpe:/a:ruby-lang:ruby:1</cpe>

  130.   </suppress>

  131. 

  132.   <suppress>

  133.     <!--

  134.     false-positive - the OWASP tool considers sonar-scala-plugin 1.x as being

  135.     scala 1.x, which come with many vulnerabilities

  136.     -->

  137.     <packageUrl regex="true">pkg:maven/org\.sonarsource\.slang/sonar-scala-plugin@1\..*</packageUrl>

  138.     <cpe>cpe:/a:scala-lang:scala:1</cpe>

  139.   </suppress>

  140. 

  141.   <suppress>

  142.     <!-- JRuby dirgra 0.3 is unexpectedly considered as JRuby 0.3 -->

  143.     <packageUrl regex="true">^pkg:maven/org\.jruby/dirgra@.*$</packageUrl>

  144.     <cpe>cpe:/a:jruby:jruby</cpe>

  145.   </suppress>

  146. 

  147.   <suppress>

  148.     <!-- The sonar-scm-git-plugin 1.12 is unexpectedly considered as git 1.12 -->

  149.     <packageUrl>pkg:maven/org.sonarsource.scm.git/sonar-scm-git-plugin@1.12.0.2034</packageUrl>

  150.     <cpe>cpe:/a:git-scm:git</cpe>

  151.   </suppress>

  152. 

  153.   <suppress>

  154.     <!--

  155.     The Java JSON libraries are unexpectedly considered as JS libraries suffering from

  156.     the json node module vulnerabilities.

  157.     -->

  158.     <packageUrl regex="true">^pkg:maven/.*$</packageUrl>

  159.     <cpe>cpe:/a:json_project:json</cpe>

  160.   </suppress>

  161. 

  162.   <suppress>

  163.     <!--

  164.     This Guava vulnerability is not exploitable in the ABAP analyzer.

  165.     However it's planned to kill the noise:

  166.     https://jira.sonarsource.com/browse/SONARABAP-421

  167.     -->

  168.     <filePath regex="true">.*com\.sonarsource\.abap/sonar-abap-plugin.*</filePath>

  169.     <cve>CVE-2018-10237</cve>

  170.   </suppress>

  171. 

  172.   <suppress>

  173.     <!--

  174.     This Guava vulnerability is not exploitable in the PLSQL analyzer.

  175.     However it's planned to kill the noise:

  176.     https://jira.sonarsource.com/browse/SONARPLSQL-738

  177.     -->

  178.     <filePath regex="true">.*com\.sonarsource\.plsql/sonar-plsql-plugin/3\.4.*</filePath>

  179.     <cve>CVE-2018-10237</cve>

  180.   </suppress>

  181. 

  182.   <suppress>

  183.     <!--

  184.     False-positive - the subproject agentproxy

  185.     is considered as being the JCraft project.

  186.     -->

  187.     <packageUrl regex="true">pkg:maven/com\.jcraft/jsch\.agentproxy\..*@0.0.7</packageUrl>

  188.     <cve>CVE-2016-5725</cve>

  189.   </suppress>

  190. 

  191.   <suppress>

  192.     <notes>

  193.       <![CDATA[

  194.         file name: alm-gallery-client-1.0.2.jar will be matched to a wrong cpe string

  195.       ]]>

  196.     </notes>

  197.     <packageUrl regex="true">^pkg:maven/com\.sonarsource\.vsts/alm\-gallery\-client@.*$</packageUrl>

  198.     <cpe>cpe:/a:gallery:gallery</cpe>

  199.   </suppress>

  200.   

  201.   <!-- False Positive: Version of kotlin lib is not vulnerable to this CVE -->

  202.   <suppress>

  203.    <notes><![CDATA[

  204.    file name: kotlin-stdlib-common-1.4.10.jar

  205.    ]]></notes>

  206.    <packageUrl regex="true">^pkg:maven/org\.jetbrains\.kotlin/kotlin\-stdlib(\-common)?@1.4.10$</packageUrl>

  207.    <cve>CVE-2020-15824</cve>

  208.   </suppress>

  209.   

  210.   <!-- False Positive: The CVE is for hazelcast:1.8.0 not hazelcast-client-protocol -->

  211.   <suppress>

  212.    <notes><![CDATA[

  213.    file name: hazelcast-3.12.9.jar (shaded: com.hazelcast:hazelcast-client-protocol:1.8.0)

  214.    ]]></notes>

  215.    <packageUrl regex="true">^pkg:maven/com\.hazelcast/hazelcast\-client\-protocol@.*$</packageUrl>

  216.    <cve>CVE-2016-10750</cve>

  217.   </suppress>

  218. </suppressions>