You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@struts.apache.org by lu...@apache.org on 2020/05/18 05:57:38 UTC

[struts] branch master updated: Uses proper suppresses to exclude vulnerable Oval transitive dependencies

This is an automated email from the ASF dual-hosted git repository.

lukaszlenart pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/struts.git


The following commit(s) were added to refs/heads/master by this push:
     new 677f769  Uses proper suppresses to exclude vulnerable Oval transitive dependencies
677f769 is described below

commit 677f769bb71b6bdd08e271937e5b89a14c995d24
Author: Lukasz Lenart <lu...@apache.org>
AuthorDate: Mon May 18 07:57:11 2020 +0200

    Uses proper suppresses to exclude vulnerable Oval transitive dependencies
---
 src/etc/project-suppression.xml | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/src/etc/project-suppression.xml b/src/etc/project-suppression.xml
index f00cc85..35b6e53 100644
--- a/src/etc/project-suppression.xml
+++ b/src/etc/project-suppression.xml
@@ -150,7 +150,22 @@
     </suppress>
     <suppress>
         <notes><![CDATA[file name: oval-1.90.jar]]></notes>
-        <packageUrl regex="true">^pkg:maven/net\.sf\.oval/oval@1\.90$</packageUrl>
-        <vulnerabilityName>Vulnerable transitive dependencies</vulnerabilityName>
+        <packageUrl regex="true">^pkg:maven/net\.sf\.oval/oval@.*$</packageUrl>
+        <cpe>cpe:/a:apache:groovy</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[file name: oval-1.90.jar]]></notes>
+        <packageUrl regex="true">^pkg:maven/net\.sf\.oval/oval@.*$</packageUrl>
+        <cpe>cpe:/a:apache:log4j</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[file name: oval-1.90.jar]]></notes>
+        <packageUrl regex="true">^pkg:maven/net\.sf\.oval/oval@.*$</packageUrl>
+        <cpe>cpe:/a:jruby:jruby</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[file name: oval-1.90.jar]]></notes>
+        <packageUrl regex="true">^pkg:maven/net\.sf\.oval/oval@.*$</packageUrl>
+        <cpe>cpe:/a:xstream_project:xstream</cpe>
     </suppress>
 </suppressions>
\ No newline at end of file