blob: 96f7512c91fe1beca9188ba819fa94f28be54910 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
|
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<!--
This file lists the false-positives (the vulnerabilities that can not be exploited)
-->
<suppress>
<!--
Elasticsearch API key service is not enabled.
See https://discuss.elastic.co/t/elastic-stack-6-8-4-security-update/204908
Fixed in Elasticsearch 6.8.4
-->
<cve>CVE-2019-7619</cve>
<cve>CVE-2020-7009</cve>
<cve>CVE-2020-7014</cve>
<!--
Elasticsearch field level security feature is not used.
See https://www.elastic.co/guide/en/elasticsearch/reference/current/field-level-security.html
and https://discuss.elastic.co/t/elastic-stack-7-9-0-and-6-8-12-security-update/245456
Fixed in Elasticsearch 6.8.12
-->
<cve>CVE-2020-7019</cve>
<!--
The vulnerability is about multiple users submitting requests to Elasticsearch. It's not
a false-positive because requests are sent anonymously. Authentication is disabled.
Fixed in Elasticsearch 6.8.2
-->
<cve>CVE-2019-7614</cve>
<!--
Jenkins plugin - fixed in v2.8.1
See https://www.jenkins.io/security/advisory/2018-09-25/#SECURITY-1163CVE-2018-20200 and
https://jira.sonarsource.com/browse/SONARJNKNS-301
-->
<cve>CVE-2018-1000425</cve>
<!--
Irrelevant exploit in OkHttp. It requires to control the server and to allow sniffing network traffic!
Obfuscating the code makes the documentation of the CVE impossible to apply.
See https://github.com/square/okhttp/issues/4967 and https://github.com/boclips/videos/commit/9f6c5ba96063f14fb6033f4f6efa6caf3c2701bd
-->
<cve>CVE-2018-20200</cve>
<!--
Vulnerability in the Spring version embedded into sonar-security-java-frontend-plugin. Fixed in 8.4.
See https://jira.sonarsource.com/browse/SONARSEC-1189 and https://nvd.nist.gov/vuln/detail/CVE-2020-5398
-->
<cve>CVE-2020-5398</cve>
<!--
Log4J SMTP Appender is not enabled, so the vulnerability is not exploitable.
See https://nvd.nist.gov/vuln/detail/CVE-2020-9488
-->
<cve>CVE-2020-9488</cve>
<!--
SnakeYML vulnerability if the Elasticsearch YML configuration files have too many recursive aliases.
Fixed in SnakeYML 1.26.
Not exploitable because the file elasticsearch/config/*.yml are not supposed to be edited outside the build.
https://bitbucket.org/asomov/snakeyaml/issues/377/allow-configuration-for-preventing-billion
https://en.wikipedia.org/wiki/Billion_laughs_attack
-->
<cve>CVE-2017-18640</cve>
<!--
These 2 CVEs were opened in 2007, without any resolution. It's apparently about OpenID which
is not safe by design.
Anyway OpenID is not used. Microsoft authentication relies on OpenID Connect and OAuth 2.0.
See MSAL https://docs.microsoft.com/en-us/azure/active-directory/develop/migrate-adal-msal-java
-->
<cve>CVE-2007-1651</cve>
<cve>CVE-2007-1652</cve>
<!--
This is a Suse packaging issue, not a Tomcat one
See https://nvd.nist.gov/vuln/detail/CVE-2020-8022 and https://lists.apache.org/thread.html/ra87ec20a0f4b226c81c7eed27e5d7433ccdc41e61a8da408a45f0fa1@%3Cusers.tomcat.apache.org%3E
-->
<cve>CVE-2020-8022</cve>
<!--
Fixed in SQ 7.8. See https://jira.sonarsource.com/browse/SSF-74
-->
<cve>CVE-2019-17579</cve>
<!--
Fixed in SQ 7.4. See https://jira.sonarsource.com/browse/SONAR-11305
-->
<cve>CVE-2018-19413</cve>
</suppress>
<suppress>
<!--
false-positive - the OWASP tool considers SQ as being
gitlab 8.0, which comes with many vulnerabilities!
-->
<filePath regex="true">.*build\.gradle</filePath>
<cpe>cpe:/a:gitlab:gitlab</cpe>
</suppress>
<suppress>
<!--
false-positive - the OWASP tool considers sonar-auth-gitlab@8.0-SNAPSHOT as being
gitlab 8.0, which comes with many vulnerabilities!
-->
<filePath regex="true">.*sonar-auth-gitlab-8.*\.jar.*</filePath>
<cpe>cpe:/a:gitlab:gitlab:8</cpe>
</suppress>
<suppress>
<!--
The commons-compress 1.8 bundled with CSS analyzer is not used. Its vulnerabilities
can't be exploited.
Noise will be killed in https://github.com/SonarSource/sonar-css/issues/260
-->
<filePath regex="true">.*sonar-css-plugin-1\.2.*\.jar.*</filePath>
<cve>CVE-2019-12402</cve>
</suppress>
<suppress>
<!--
false-positive - the OWASP tool considers sonar-ruby-plugin 1.7 as being
ruby 1.7, which comes with many vulnerabilities!
-->
<packageUrl regex="true">pkg:maven/org\.sonarsource\.slang/sonar-ruby-plugin@1\..*</packageUrl>
<cpe>cpe:/a:ruby-lang:ruby:1</cpe>
</suppress>
<suppress>
<!--
false-positive - the OWASP tool considers sonar-scala-plugin 1.x as being
scala 1.x, which come with many vulnerabilities
-->
<packageUrl regex="true">pkg:maven/org\.sonarsource\.slang/sonar-scala-plugin@1\..*</packageUrl>
<cpe>cpe:/a:scala-lang:scala:1</cpe>
</suppress>
<suppress>
<!-- JRuby dirgra 0.3 is unexpectedly considered as JRuby 0.3 -->
<packageUrl regex="true">^pkg:maven/org\.jruby/dirgra@.*$</packageUrl>
<cpe>cpe:/a:jruby:jruby</cpe>
</suppress>
<suppress>
<!-- The sonar-scm-git-plugin 1.12 is unexpectedly considered as git 1.12 -->
<packageUrl>pkg:maven/org.sonarsource.scm.git/sonar-scm-git-plugin@1.12.0.2034</packageUrl>
<cpe>cpe:/a:git-scm:git</cpe>
</suppress>
<suppress>
<!--
The Java JSON libraries are unexpectedly considered as JS libraries suffering from
the json node module vulnerabilities.
-->
<packageUrl regex="true">^pkg:maven/.*$</packageUrl>
<cpe>cpe:/a:json_project:json</cpe>
</suppress>
<suppress>
<!--
This Guava vulnerability is not exploitable in the ABAP analyzer.
However it's planned to kill the noise:
https://jira.sonarsource.com/browse/SONARABAP-421
-->
<filePath regex="true">.*com\.sonarsource\.abap/sonar-abap-plugin.*</filePath>
<cve>CVE-2018-10237</cve>
</suppress>
<suppress>
<!--
This Guava vulnerability is not exploitable in the PLSQL analyzer.
However it's planned to kill the noise:
https://jira.sonarsource.com/browse/SONARPLSQL-738
-->
<filePath regex="true">.*com\.sonarsource\.plsql/sonar-plsql-plugin/3\.4.*</filePath>
<cve>CVE-2018-10237</cve>
</suppress>
<suppress>
<!--
False-positive - the subproject agentproxy
is considered as being the JCraft project.
-->
<packageUrl regex="true">pkg:maven/com\.jcraft/jsch\.agentproxy\..*@0.0.7</packageUrl>
<cve>CVE-2016-5725</cve>
</suppress>
<suppress>
<notes>
<![CDATA[
file name: alm-gallery-client-1.0.2.jar will be matched to a wrong cpe string
]]>
</notes>
<packageUrl regex="true">^pkg:maven/com\.sonarsource\.vsts/alm\-gallery\-client@.*$</packageUrl>
<cpe>cpe:/a:gallery:gallery</cpe>
</suppress>
</suppressions>
|
