MightyPork
/
airsonic-custom
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
My fork of airsonic with experimental fixes and improvements. See branch "custom"
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1344 Commits
2 Branches
0 Tags
85 MiB
 
 
 
Tag: Branch: Tree: ac45a9b7dc
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'ac45a9b7dc'
${ noResults }
airsonic-custom/airsonic-main/cve-suppressed.xml

208 lines
8.1 KiB
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd">
<!-- Provisional >> -->
<suppress>
<notes><![CDATA[False Positive for stax]]></notes>
<gav regex="true">^.*$</gav>
<cve>CVE-2018-1000840</cve>
</suppress>
<!-- << Provisional -->
<suppress>
<notes><![CDATA[RC4 vulnerability in ssl. We don't use ssl at the application container level]]></notes>
<gav regex="true">^.*$</gav>
<cve>CVE-2015-2808</cve>
</suppress>
<suppress>
<notes><![CDATA[RC4 vulnerability in ssl. We don't use ssl at the application container level]]></notes>
<gav regex="true">^.*$</gav>
<cve>CVE-2013-2566</cve>
</suppress>
<suppress>
<notes>
<![CDATA[This is for ruby - not for java and besides we don't allow user supplied information in emails]]></notes>
<gav regex="true">^.*$</gav>
<cve>CVE-2015-9097</cve>
</suppress>
<!-- This is for the oracle/glassfish application server implementation, not the api. -->
<suppress>
<notes><![CDATA[file name: javax.servlet.jsp-api-2.3.1.jar]]></notes>
<gav regex="true">^javax\.servlet\.jsp:javax\.servlet\.jsp-api:.*$</gav>
<cve>CVE-2011-5035</cve>
</suppress>
<!-- For drupal, so doesn't apply to us -->
<suppress>
<notes><![CDATA[file name: validation-api-1.1.0.Final.jar]]></notes>
<gav regex="true">^javax\.validation:validation-api:.*$</gav>
<cve>CVE-2013-4499</cve>
</suppress>
<!-- This seems to pick up many false positives for the server component which we have no control over -->
<suppress>
<notes><![CDATA[file name: mysql-connector-java-5.1.43.jar]]></notes>
<gav regex="true">^mysql:mysql-connector-java:.*$</gav>
<cpe regex="true">.*</cpe>
</suppress>
<!-- No git functionality is used from the following dependencies -->
<suppress>
<notes><![CDATA[file name: org.eclipse.persistence.core-2.5.1.jar]]></notes>
<gav regex="true">^org\.eclipse\.persistence:org\.eclipse\.persistence\..*$</gav>
<cve>CVE-2017-14867</cve>
</suppress>
<suppress>
<notes><![CDATA[file name: org.eclipse.persistence.core-2.5.1.jar]]></notes>
<gav regex="true">^org\.eclipse\.persistence:org\.eclipse\.persistence\..*$</gav>
<cve>CVE-2015-7545</cve>
</suppress>
<suppress>
<notes><![CDATA[file name: org.eclipse.persistence.core-2.5.1.jar]]></notes>
<gav regex="true">^org\.eclipse\.persistence:org\.eclipse\.persistence\..*$</gav>
<cve>CVE-2015-7082</cve>
</suppress>
<suppress>
<notes><![CDATA[file name: org.eclipse.persistence.core-2.5.1.jar]]></notes>
<gav regex="true">^org\.eclipse\.persistence:org\.eclipse\.persistence\..*$</gav>
<cve>CVE-2010-2542</cve>
</suppress>
<!-- Ignore all false positives for the server component -->
<suppress>
<notes><![CDATA[file name: mariadb-java-client-2.1.0.jar]]></notes>
<gav regex="true">^org\.mariadb\.jdbc:mariadb-java-client:.*$</gav>
<cpe>cpe:/a:mariadb:mariadb</cpe>
</suppress>
<!-- This cve is not for spring ldap, but for typo3 -->
<suppress>
<notes><![CDATA[file name: spring-ldap-core-2.3.1.RELEASE.jar]]></notes>
<gav regex="true">^org\.springframework\.ldap:spring-ldap-core:.*$</gav>
<cve>CVE-2014-6232</cve>
</suppress>
<!-- We do not support https for the embedded tomcat setup -->
<suppress>
<notes><![CDATA[file name: tomcat-annotations-api-8.5.23.jar]]></notes>
<gav regex="true">^org\.apache\.tomcat:tomcat-annotations-api:.*$</gav>
<cve>CVE-2017-6056</cve>
</suppress>
<!-- This only impacts distro packages, not embedded -->
<suppress>
<notes><![CDATA[file name: tomcat-annotations-api-8.5.23.jar]]></notes>
<gav regex="true">^org\.apache\.tomcat:tomcat-annotations-api:.*$</gav>
<cve>CVE-2016-6325</cve>
</suppress>
<!-- This only impacts distro packages, not embedded -->
<suppress>
<notes><![CDATA[file name: tomcat-annotations-api-8.5.23.jar]]></notes>
<gav regex="true">^org\.apache\.tomcat:tomcat-annotations-api:.*$</gav>
<cve>CVE-2016-5425</cve>
</suppress>
<!--Vulnerabilty lies in Database Clusterscripts-->
<suppress>
<notes><![CDATA[file name: postgresql-42.1.4.jar]]></notes>
<gav regex="true">^org\.postgresql:postgresql:.*$</gav>
<cve>CVE-2017-8806</cve>
</suppress>
<suppress>
<notes><![CDATA[file name: postgresql-42.1.4.jar]]></notes>
<gav regex="true">^org\.postgresql:postgresql:.*$</gav>
<cve>CVE-2017-14798</cve>
</suppress>
<suppress>
<notes>Does not affect the postgres client</notes>
<gav regex="true">^org\.postgresql:postgresql:.*$</gav>
<cve>CVE-2018-1115</cve>
</suppress>
<suppress>
<notes>Does not affect the postgres client</notes>
<gav regex="true">^org\.postgresql:postgresql:.*$</gav>
<cve>CVE-2016-7048</cve>
</suppress>
<suppress>
<notes>This is for nodejs</notes>
<gav regex="true">^org\.mariadb\.jdbc:mariadb-java-client:.*$</gav>
<cve>CVE-2017-16046</cve>
</suppress>
<suppress>
<notes><![CDATA[False Positive for stax]]></notes>
<gav regex="true">^stax.*$</gav>
<cve>CVE-2017-16224</cve>
</suppress>
<suppress>
<notes><![CDATA[False Positive for stax]]></notes>
<gav regex="true">^javax\.xml\.stream:stax.*$</gav>
<cve>CVE-2017-16224</cve>
</suppress>
<suppress>
<notes><![CDATA[We do not use slf4j ext]]></notes>
<gav regex="true">.*slf4j.*</gav>
<cve>CVE-2018-8088</cve>
</suppress>
<suppress>
<notes><![CDATA[This only impacts spring 5.0.5 which we dont use]]></notes>
<gav regex="true">.*spring.*</gav>
<cve>CVE-2018-1258</cve>
</suppress>
<suppress>
<notes>This is for an unrelated C library</notes>
<gav regex="true">^com\.sun\.xml\.bind\.external:relaxng-datatype:.*</gav>
<cve>CVE-2018-18749</cve>
</suppress>
<suppress>
<notes>False positive for jflac-codec</notes>
<gav regex="true">.*jflac-codec.*</gav>
<cve>CVE-2018-14948</cve>
</suppress>
<suppress>
<notes>We do not enable default typing for jackson</notes>
<gav regex="true">.*jackson-databind.*</gav>
<cve>CVE-2019-12814</cve>
</suppress>
<suppress>
<notes>We do not use the liquibase sdk</notes>
<filePath regex="true">.*liquibase/sdk/.*</filePath>
<cvssBelow>9.0</cvssBelow>
</suppress>
<suppress>
<notes>False positive for tomcat vuln in eclipse jasper compat lib</notes>
<gav regex="true">^org\.mortbay\.jasper:apache-jsp:.*$</gav>
<cve>CVE-2016-5425</cve>
</suppress>
<suppress>
<notes>False positive for tomcat vuln in eclipse jasper compat lib</notes>
<gav regex="true">^org\.mortbay\.jasper:apache-jsp:.*$</gav>
<cve>CVE-2017-6056</cve>
</suppress>
<suppress>
<notes>False positive for tomcat vuln in eclipse jasper compat lib</notes>
<gav regex="true">^org\.mortbay\.jasper:apache-jsp:.*$</gav>
<cve>CVE-2019-10072</cve>
</suppress>
<suppress>
<notes>This cve is for apache standard taglibs before 1.2.3. However jstl:1.2 is a separate PROVIDED lib</notes>
<gav regex="true">^javax\.servlet:jstl:.*$</gav>
<cve>CVE-2015-0254</cve>
</suppress>
<suppress>
<notes>We do not enable default typing for jackson</notes>
<gav regex="true">.*jackson-databind.*</gav>
<cve>CVE-2019-14379</cve>
</suppress>
<suppress>
<notes>We do not enable default typing for jackson</notes>
<gav regex="true">.*jackson-databind.*</gav>
<cve>CVE-2019-14439</cve>
</suppress>
<suppress>
<notes>We do not enable default typing for jackson</notes>
<gav regex="true">.*jackson-databind.*</gav>
<cve>CVE-2019-12384</cve>
</suppress>
</suppressions>