forked from codice/ddf
-
Notifications
You must be signed in to change notification settings - Fork 1
/
dependency-check-maven-config.xml
566 lines (529 loc) · 20 KB
/
dependency-check-maven-config.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
<!-- False positive against Tika -->
<suppress>
<notes>These CVEs are against versions less than 1.18 and we're on 1.18. False positives</notes>
<cve>CVE-2016-6809</cve>
<cve>CVE-2018-1335</cve>
</suppress>
<!-- Remove this suppression CVE-2017-5644 once DDF-3064 has been resolved-->
<suppress>
<notes>
This is not an issue since the vulnerability is in reading untrusted documents and
platform-metrics-reporting only creates them. The issue is resolved in version 3.16 but
will require code refactoring.
poi-3.12.jar (cpe:/a:apache:poi:3.12, org.apache.poi:poi:3.12) : CVE-2017-5644
</notes>
<cve>CVE-2017-5644</cve>
</suppress>
<suppress>
<notes>
CVE-2004-0009 is an issue with Apache not-yet-commons-ssl. This jar has been stripped
from the distribution, the suppression is to prevent OWASP from complaining.
apache-karaf-4.1.2.tar.gz: apache-karaf-4.1.2.tar:
org.apache.servicemix.bundles.not-yet-commons-ssl-0.3.11_1.jar
</notes>
<cve>CVE-2004-0009</cve>
</suppress>
<suppress>
<notes>
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated
remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization
flaw. This is exploitable by sending maliciously crafted JSON input to the
readValue method of the ObjectMapper, bypassing a blacklist that is ineffective
if the Spring libraries are available in the classpath.
We have upgraded to 2.9.4 which fixes the issue but version 2.6.3 is still being used by
org.apache.cxf:cxf-rt-rs-security-sso-saml -> ehcache-2.10.4 -> jackson-databind-2.6.3.
This suppression can be removed when DDF-3593 has been completed.
</notes>
<cve>CVE-2016-3720</cve>
<cve>CVE-2016-7051</cve>
<cve>CVE-2017-7525</cve>
<cve>CVE-2017-15095</cve>
<cve>CVE-2017-17485</cve>
<cve>CVE-2018-5968</cve>
<cve>CVE-2018-7489</cve>
</suppress>
<suppress>
<notes>
CVE-2008-0660 is a stack based buffer overflow vulnerability related to ActiveX and
several image uploaders. This is unrelated to presto-parser, so marking as a false
positive.
</notes>
<cve>CVE-2008-0660</cve>
</suppress>
<suppress>
<notes>
CVE-2016-1000031: Applies to commons-fileupload-1.2.1, suppressing because the
vulnerable class DiskFileItem is not used in the project
</notes>
<cve>CVE-2016-1000031</cve>
</suppress>
<suppress>
<notes>
False positive. This cve is not related to pax-url-aether.
pax-url-aether-2.4.7.jar
</notes>
<cve>CVE-2016-0749</cve>
</suppress>
<suppress>
<notes>
file name: solr-*.jar
OWASP is getting confused by our version number being on a jar with solr in the name we
are on solr 6.6+ which is not affected by this issue.
</notes>
<cve>CVE-2017-3163</cve>
<cve>CVE-2015-8797</cve>
<cve>CVE-2015-8796</cve>
<cve>CVE-2015-8795</cve>
<cve>CVE-2013-6408</cve>
<cve>CVE-2013-6407</cve>
<cve>CVE-2013-6397</cve>
<cve>CVE-2012-6612</cve>
</suppress>
<suppress>
<notes>
file name: commons-beanutils-1.8.3.jar
shiro-core has a dependency on this but it doesn’t expose commons-beanutils to user
input so it wouldn't pose a risk like the struts library that is called out in the CVE
</notes>
<sha1>686EF3410BCF4AB8CE7FD0B899E832AABA5FACF7</sha1>
<cve>CVE-2014-0114</cve>
</suppress>
<suppress>
<notes>
false positive CVE is unrelated. owasp is confusing the platform-filter-delegate with
the DeleGate library
file name: platform-filter-delegate-*.jar
</notes>
<cve>CVE-2005-0036</cve>
<cve>CVE-1999-1338</cve>
<cve>CVE-2005-0861</cve>
</suppress>
<!-- proxy-camel-servlet false positives - these are all because the proxy-camel-servlet is getting confused with the camel-servlet-->
<suppress>
<notes>
This is an issue with Camel version before 2.16.1 OWASP appears to have confused the
internal proxy-camel-servlet version with the overall Camel version - marking as false
positive.
</notes>
<cve>CVE-2014-0002</cve>
<cve>CVE-2014-0003</cve>
<cve>CVE-2015-5344</cve>
<cve>CVE-2017-3159</cve>
<cve>CVE-2017-12633</cve>
<cve>CVE-2017-12634</cve>
</suppress>
<suppress>
<notes>
From security-core-api SecurityLogger. This is not an issue as we are not receiving
logging messages via TCP or UDP socket. This can be fixed by upgrading to version 2.8.2.
The version upgrade requires an update to karaf 4.1.1
log4j-api-2.4.1.jar (cpe:/a:apache:log4j:2.4.1,
org.apache.logging.log4j:log4j-api:2.4.1)
</notes>
<cve>CVE-2017-5645</cve>
</suppress>
<!-- these are the geowebcache vulnerabilities it is not installed by default and it is only
experimental these security issues would need to be resolved before geowebcache can be
installed in a production environment-->
<suppress>
<notes>
gwc-web-1.5.0.war: com.noelios.restlet-1.0.8.jar
gwc-web-1.5.0.war: commons-beanutils-1.7.0.jar
gwc-web-1.5.0.war: commons-collections-3.1.jar
gwc-web-1.5.0.war: postgresql-8.4-701.jdbc3.jar
geowebcache-server-standalone-0.7.0.war: gwc-sqlite-1.9.1.jar
geowebcache-server-standalone-0.7.0.war: sqlite-jdbc-3.8.6.jar
geowebcache-server-standalone-0.7.0.war: commons-fileupload-1.2.1.jar
</notes>
<cve>CVE-2016-3092</cve>
<cve>CVE-2014-0050</cve>
<cve>CVE-2013-4271</cve>
<cve>CVE-2013-4221</cve>
<cve>CVE-2013-0248</cve>
<cve>CVE-2014-0114</cve>
<cve>CVE-2015-6420</cve>
<cve>CVE-2016-0766</cve>
<cve>CVE-2015-5895</cve>
<cve>CVE-2015-3717</cve>
<cve>CVE-2015-3416</cve>
<cve>CVE-2015-3415</cve>
<cve>CVE-2015-3414</cve>
<cve>CVE-2017-10989</cve>
<cve>CVE-2005-2992</cve>
<cve>CVE-2005-2945</cve>
<cve>CVE-2016-6153</cve>
<cve>CVE-2015-6607</cve>
<cve>CVE-2016-9878</cve>
<cve>CVE-2016-5007</cve>
<cve>CVE-2016-3674</cve>
</suppress>
<suppress>
<notes>
These CVEs are incorrectly attributing a CXF vulnerability to Camel
camel-cxf-2.19.0.jar.
The CVEs are in CXF versions in this case the camel version is incorrectly being used
</notes>
<cve>CVE-2017-5643</cve>
<cve>CVE-2017-3159</cve>
<cve>CVE-2015-5344</cve>
<cve>CVE-2015-5348</cve>
<cve>CVE-2015-0264</cve>
<cve>CVE-2015-0263</cve>
<cve>CVE-2014-0003</cve>
<cve>CVE-2014-0002</cve>
<cve>CVE-2016-8739</cve>
<cve>CVE-2017-5656</cve>
<cve>CVE-2017-5653</cve>
<cve>CVE-2017-3156</cve>
<cve>CVE-2016-6812</cve>
</suppress>
<suppress>
<notes>
These CVEs are all related to asciidoc and jruby vulnerabilities which are only used
when the documentation is building.
</notes>
<cve>CVE-1999-0428</cve>
<cve>CVE-2009-3245</cve>
<cve>CVE-2010-0742</cve>
<cve>CVE-2010-4252</cve>
<cve>CVE-2011-4838</cve>
<cve>CVE-2012-2110</cve>
<cve>CVE-2014-3567</cve>
<cve>CVE-2014-8176</cve>
<cve>CVE-2015-0292</cve>
<cve>CVE-2015-8768</cve>
<cve>CVE-2016-2108</cve>
<cve>CVE-2016-2109</cve>
</suppress>
<suppress>
<notes>
This CVE is related to hash collisions at the Java level. This is mitigated by newer
versions of Java (8+).
See http://openjdk.java.net/jeps/180 for more information.
xercesImpl-2.11.0.jar
</notes>
<cve>CVE-2012-0881</cve>
</suppress>
<suppress>
<notes>
This CVE affects jetty's Password.java class, which is not relied on in the running
system.
jetty-io-9.3.14.v20161028.jar
jetty-jmx-9.3.14.v20161028.jar
jetty-servlets-9.2.19.v20160908.jar
jetty-util-ajax-9.2.14.v20151106.jar
jetty-webapp-9.3.6.v20151106.jar
websocket-api-9.3.6.v20151106.jar
ehcache-2.10.3.jar/rest-management-private-classpath/META-INF/maven/org.eclipse.jetty/jetty-io/pom.xml
</notes>
<cve>CVE-2017-9735</cve>
</suppress>
<suppress>
<notes>
This CVE has to do with a command that is not used in the running system.
aws-java-sdk-opsworkscm-1.11.108.jar
</notes>
<cve>CVE-2015-8559</cve>
</suppress>
<suppress>
<notes>
This CVE is out of date. The vulnerability is fixed in 3.x versions of protobuf.
protobuf-java-3.1.0.jar
pnotify-1.3.1.jar: compiler.jar/META-INF/maven/com.google.protobuf/protobuf-java/pom.xml
</notes>
<cve>CVE-2015-5237</cve>
</suppress>
<suppress>
<notes>
These CVEs only apply to the google android and google desktop libraries which do not
affect the running system.
google-http-client-1.22.0.jar
</notes>
<cve>CVE-2016-5696</cve>
<cve>CVE-2014-6060</cve>
<cve>CVE-2014-1939</cve>
<cve>CVE-2013-7372</cve>
<cve>CVE-2010-1807</cve>
<cve>CVE-2007-3150</cve>
<cve>CVE-2007-1085</cve>
</suppress>
<suppress>
<notes>
This CVE is disputed by SUN, but the claim is that a denial of service attack can be
incurred.
This dependency is used for workspace email notifications and is limited by the cron
string configuration.
This cron string configuration mitigates the possibility of a denial of service attack.
javax.mail-1.5.5.jar
mail-1.4.5.jar
</notes>
<cve>CVE-2007-6059</cve>
</suppress>
<suppress>
<notes>
This CVE applies to ganglia-web. OWASP is flagging this CVE on gmetric4j-1.0.7.jar (as a
direct transitive and as a transitive to metrics-ganglia-3.2.2.jar).
Though gmetric4j-1.0.7.jar has the same group id as ganglia-web, it does not depend on
ganglia-web.
gmetric4j-1.0.7.jar
metrics-ganglia-3.2.2.jar
</notes>
<cve>CVE-2007-6465</cve>
</suppress>
<suppress>
<notes>
This CVE is at the OS level and does not apply to the running system.
jna-4.4.0.jar
</notes>
<cve>CVE-2012-0217</cve>
</suppress>
<suppress>
<notes>
These CVEs apply to ActiveMQ, but OWASP is looking at the version of Artemis (2.1.0).
These CVEs do not apply to the version of ActiveMQ server that is used in the system
(currently 5.14.5).
artemis-core-client-2.1.0.jar
</notes>
<cve>CVE-2016-3088</cve>
<cve>CVE-2014-3576</cve>
<cve>CVE-2013-3060</cve>
<cve>CVE-2013-1880</cve>
<cve>CVE-2013-1879</cve>
<cve>CVE-2012-6551</cve>
<cve>CVE-2012-6092</cve>
<cve>CVE-2012-5784</cve>
<cve>CVE-2011-4905</cve>
<cve>CVE-2010-1244</cve>
<cve>CVE-2010-0684</cve>
</suppress>
<suppress>
<notes>
This CVE is fixed in Artemis ActiveMQ for all released versions.
See
https://github.com/apache/activemq-artemis/commit/48d9951d879e0c8cbb59d4b64ab59d53ef88310d
artemis-core-client-2.1.0.jar
</notes>
<cve>CVE-2015-3208</cve>
</suppress>
<suppress>
<notes>
This CVE applies to the Jolokia API provided by ActiveMQ which is secured by DDF
security, so the vulnerability is mitigated.
</notes>
<cve>CVE-2015-5182</cve>
</suppress>
<suppress>
<notes>
These CVEs apply to the Hawtio console which is not exposed in this system.
artemis-core-client-2.1.0.jar
</notes>
<cve>CVE-2015-5184</cve>
<cve>CVE-2015-5183</cve>
</suppress>
<suppress>
<notes>
These CVEs apply to Apache Zookeeper which does not affect the running system.
curator-recipes-2.8.0.jar
</notes>
<cve>CVE-2016-5017</cve>
<cve>CVE-2014-0085</cve>
</suppress>
<suppress>
<notes>
These CVEs apply to org.apache.geronimo:geronimo which is not a dependency of any of
these artifacts.
geronimo-activation_1.1_spec-1.1.jar
geronimo-javamail_1.4_spec-1.7.1.jar
geronimo-jms_1.1_spec-1.1.1.jar
geronimo-jms_2.0_spec-1.0-alpha-2.jar
geronimo-servlet_3.0_spec-1.0.jar
geronimo-stax-api_1.0_spec-1.0.1.jar
apache-karaf-4.1.2.tar.gz: apache-karaf-4.1.2.tar:
org.apache.servicemix.specs.saaj-api-1.3-2.9.0.jar/META-INF/maven/org.apache.geronimo.specs/geronimo-saaj_1.3_spec/pom.xml
apache-karaf-4.1.2.tar.gz: apache-karaf-4.1.2.tar:
org.apache.servicemix.specs.jaxws-api-2.2-2.9.0.jar/META-INF/maven/org.apache.geronimo.specs/geronimo-jaxws_2.2_spec/pom.xml
</notes>
<cve>CVE-2011-5034</cve>
<cve>CVE-2008-0732</cve>
<cve>CVE-2006-0254</cve>
</suppress>
<suppress>
<notes>
This CVE applies to a frontend tool called jCore before 1.0pre2.
It does not apply to the artifact that OWASP is reporting.
apache-mime4j-core-0.7.2.jar
</notes>
<cve>CVE-2012-4231</cve>
<cve>CVE-2012-4232</cve>
</suppress>
<suppress>
<notes>
This CVE applies to Apache-SSL 1.3.28+1.52 and earlier. It does not apply to the
artifact that OWASP is reporting.
apache-karaf-4.1.2.tar.gz: apache-karaf-4.1.2.tar:
org.apache.servicemix.bundles.not-yet-commons-ssl-0.3.11_1.jar
</notes>
<cve>CVE-2004-0009</cve>
</suppress>
<suppress>
<notes>
These CVEs apply to "Apache QPID 0.30" and previous versions. This particular maven
artifact is a new qpid artifact.
Its first release came after all of these CVEs.
qpid-jms-client-0.11.1.jar
</notes>
<cve>CVE-2015-0223</cve>
<cve>CVE-2015-0224</cve>
<cve>CVE-2013-1909</cve>
<cve>CVE-2012-4460</cve>
<cve>CVE-2012-4459</cve>
<cve>CVE-2012-4458</cve>
<cve>CVE-2012-4446</cve>
<cve>CVE-2012-3467</cve>
<cve>CVE-2012-2145</cve>
</suppress>
<suppress>
<notes>
Applies to an LDAP class that we do not use in the system. Also, this jar is only used
in tests.
groovy-all-2.4.7.jar
</notes>
<cve>CVE-2016-6497</cve>
</suppress>
<suppress>
<notes>
These CVEs do not apply to this version of bzip2
bzip2-0.9.1.jar
</notes>
<cve>CVE-2011-4089</cve>
<cve>CVE-2010-0405</cve>
<cve>CVE-2005-1260</cve>
</suppress>
<suppress>
<notes>
These CVEs apply to version 1.7.3 and earlier
pax-logging-api-1.10.1.jar
</notes>
<cve>CVE-2015-1194</cve>
<cve>CVE-2015-1193</cve>
</suppress>
<suppress>
<notes>
The vulnerability applies to NPM's CLI which does not apply here
q-1.4.1.jar
</notes>
<cve>CVE-2016-3956</cve>
</suppress>
<suppress>
<notes>
These CVEs apply to the Eclipse IDE. OWASP flagged it because eclipse is in the group
id.
pax-url-aether-2.5.2.jar/META-INF/maven/org.eclipse.aether/aether-spi/pom.xml
</notes>
<cve>CVE-2010-4647</cve>
<cve>CVE-2008-7271</cve>
</suppress>
<suppress>
<notes>
These CVEs apply to the system-level project called spice. OWASP incorrectly labeled
this.
pax-url-aether-2.5.2.jar/META-INF/maven/org.sonatype.plexus/plexus-cipher/pom.xml:
pax-url-aether-2.5.2.jar/META-INF/maven/org.sonatype.plexus/plexus-sec-dispatcher/pom.xml
</notes>
<cve>CVE-2016-2150</cve>
<cve>CVE-2016-0749</cve>
</suppress>
<suppress>
<notes>
These CVEs apply to Java or Sun application servers. Not applicable to this system.
servlet-api-2.5.jar
</notes>
<cve>CVE-2006-5654</cve>
<cve>CVE-2006-3225</cve>
<cve>CVE-2006-2501</cve>
</suppress>
<suppress>
<notes>
This CVE has been addressed by upgrading commons-beanutils to version 1.9.3. OWASP will
continue to report the vulnerability since OWASP sees the DDF version instead of the
actual version.
security-pdp-authzrealm-2.11.4-SNAPSHOT.jar (cpe:/a:apache:commons_beanutils:2.11.4,
cpe:/a:apache:commons_collections:2.11.4,
ddf.security.pdp:security-pdp-authzrealm:2.11.4-SNAPSHOT)
</notes>
<cve>CVE-2017-15708</cve>
</suppress>
<suppress>
<notes>False positive. This CVE is for a Perl library</notes>
<cve>CVE-2015-7686</cve>
</suppress>
<suppress>
<notes>
Remove this supression when this PR is merged
https://github.com/codice/ddf/pull/3077
</notes>
<cve>CVE-2015-1820</cve>
</suppress>
<suppress>
<notes>This CVE is related to a PHP script. There are no PHP scripts in the DDF.</notes>
<cve>CVE-2006-6460</cve>
</suppress>
<suppress>
<notes>
These CVEs are not an issue since the software is not exposing STOMP over WebSocket
endpoints.
</notes>
<cve>CVE-2018-1270</cve>
<cve>CVE-2018-1275</cve>
</suppress>
<suppress>
<notes>
These CVEs affect Jetty 9.3.x up to 9.3.23 and 9.4.x up to 9.4.10. DDF is using a
version of jetty that does not fall within those ranges.
</notes>
<cve>CVE-2017-7658</cve>
<cve>CVE-2017-7657</cve>
</suppress>
<suppress>
<notes><![CDATA[
Nearly all of these are not an issue because either we are not using those features entirely or (and in addition to the fact) that solr is now running as an external process and completely locked down, so no one could access solr to take advantage of these vulnerabilites. All communication is controlled by DDF.
]]></notes>
<cve>CVE-2016-3081</cve>
<cve>CVE-2016-7415</cve>
<cve>CVE-2017-17484</cve>
<cve>CVE-2017-5637</cve>
<cve>CVE-2017-14868</cve>
<cve>CVE-2013-4316</cve>
<cve>CVE-2016-4436</cve>
<cve>CVE-2017-3162</cve>
<cve>CVE-2013-2115</cve>
<cve>CVE-2014-1868</cve>
<cve>CVE-2012-0391</cve>
<cve>CVE-2017-14952</cve>
<cve>CVE-2017-14949</cve>
<cve>CVE-2016-3082</cve>
<cve>CVE-2013-2135</cve>
<cve>CVE-2014-0112</cve>
<cve>CVE-2016-5001</cve>
<cve>CVE-2017-3161</cve>
<cve>CVE-2012-0392</cve>
<cve>CVE-2014-3577</cve>
<cve>CVE-2014-3627</cve>
<cve>CVE-2012-0838</cve>
<cve>CVE-2013-1965</cve>
<cve>CVE-2013-1966</cve>
<cve>CVE-2015-5262</cve>
<cve>CVE-2014-0113</cve>
<cve>CVE-2014-0229</cve>
<cve>CVE-2017-15713</cve>
<cve>CVE-2016-6293</cve>
<cve>CVE-2013-2134</cve>
<cve>CVE-2018-8012</cve>
<cve>CVE-2013-2251</cve>
<cve>CVE-2016-0785</cve>
<cve>CVE-2016-6811</cve>
<cve>CVE-2016-4461</cve>
</suppress>
</suppressions>