You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2016/04/28 13:51:09 UTC
svn commit: r1741416 [3/3] - in
/ofbiz/trunk/tools/security/dependency-check: dependency-check-report.html
suppress.xml
Modified: ofbiz/trunk/tools/security/dependency-check/suppress.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/tools/security/dependency-check/suppress.xml?rev=1741416&r1=1741415&r2=1741416&view=diff
==============================================================================
--- ofbiz/trunk/tools/security/dependency-check/suppress.xml (original)
+++ ofbiz/trunk/tools/security/dependency-check/suppress.xml Thu Apr 28 11:51:08 2016
@@ -1,44 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression">
+ <!-- Good examples here: https://jeremylong.github.io/DependencyCheck/general/suppression.html -->
- <!-- to check the comments yourself, simply comment out the block/s you are interested in and use Dependency Check to get the related CVE/s -->
-
- <suppress><!-- OFBiz uses a more recent Tomcat version -->
+ <!-- To check the comments yourself, simply comment out the block/s you are interested in and use Dependency Check to get the related CVE/s -->
+
+ <!-- OFBiz uses a more recent Tomcat version -->
+ <suppress>
<notes><![CDATA[
- file name: annotations-api-3.0.jar
- ]]></notes>
+ file name: annotations-api-3.0.jar
+ ]]></notes>
<sha1>87925e57a90c75bd60e2fe4c3fdbcef592c00e48</sha1>
<cpe>cpe:/a:apache:tomcat:3.0</cpe>
</suppress>
-
- <suppress><!-- OFBiz uses a more recent Tomcat version -->
+ <suppress>
<notes><![CDATA[
- file name: annotations-api-3.0.jar
- ]]></notes>
+ file name: annotations-api-3.0.jar
+ ]]></notes>
<sha1>87925e57a90c75bd60e2fe4c3fdbcef592c00e48</sha1>
<cpe>cpe:/a:apache:tomcat:7.0.54</cpe>
</suppress>
-
- <suppress><!-- OFBiz uses a more recent Tomcat version -->
+ <suppress>
<notes><![CDATA[
file name: el-api-3.0.jar
]]></notes>
<sha1>794cf8e8d615c6ac136835867aef2fee125bc74b</sha1>
<cpe>cpe:/a:apache:tomcat:3.0</cpe>
</suppress>
-
- <!-- About Tomcat 8.0.33 vulnerabilities (start with jsp-api-2.3.jar): I will ask why we have to put all those suppressions :/
- Note that CVE-2013-2185 is disputed by the Tomcat team, see OFBIZ-6752 for details -->
-
- <suppress>
- <notes><![CDATA[
- file name: jsp-api-2.3.jar
- ]]></notes>
- <sha1>896e782956999c2632b3caa0caeb711720f28d7a</sha1>
- <cpe>cpe:/a:apache:tomcat:8.0.33</cpe>
+ <suppress>
+ <notes><![CDATA[
+ file name: jsp-api-2.3.jar
+ ]]></notes>
+ <filePath regex="true">.*\\base\\lib\\j2eespecs\\.*\.jar</filePath>
+ <cve>CVE-2013-2185</cve>
+ <cve>CVE-2009-2696</cve>
+ <cve>CVE-2007-5461</cve>
+ <cve>CVE-2002-0493</cve>
</suppress>
-
- <suppress><!-- OFBiz uses a more recent Tomcat version -->
+ <suppress>
<notes><![CDATA[
file name: servlet-api-3.1.jar
]]></notes>
@@ -46,150 +44,24 @@
<cpe>cpe:/a:apache:tomcat:3.1</cpe>
</suppress>
- <suppress>
- <notes><![CDATA[
- file name: tomcat-8.0.33-jasper.jar
- ]]></notes>
- <sha1>30525359ecc82c313a71e056adc917f952580f5e</sha1>
- <cpe>cpe:/a:apache:tomcat:8.0.33</cpe>
- </suppress>
-
- <suppress>
- <notes><![CDATA[
- file name: tomcat-8.0.33-catalina.jar
- ]]></notes>
- <sha1>585795d972f59b19ed5a1ed94446b5a8750669c2</sha1>
- <cpe>cpe:/a:apache_tomcat:apache_tomcat:8.0.33</cpe>
- </suppress>
-
- <suppress>
- <notes><![CDATA[
- file name: tomcat-8.0.33-catalina.jar
- ]]></notes>
- <sha1>585795d972f59b19ed5a1ed94446b5a8750669c2</sha1>
- <cpe>cpe:/a:apache:tomcat:8.0.33</cpe>
- </suppress>
-
- <suppress>
- <notes><![CDATA[
- file name: tomcat-8.0.33-catalina.jar
- ]]></notes>
- <sha1>585795d972f59b19ed5a1ed94446b5a8750669c2</sha1>
- <cpe>cpe:/a:apache:tomcat:8.0.33</cpe>
- </suppress>
-
-
- <suppress>
- <notes><![CDATA[
- file name: tomcat-8.0.33-tomcat-api.jar
- ]]></notes>
- <sha1>062142702a1ee607dff38f95a7a1d9c976f510f0</sha1>
- <cpe>cpe:/a:apache:tomcat:8.0.33</cpe>
- </suppress>
-
- <suppress>
- <notes><![CDATA[
- file name: tomcat-8.0.33-tomcat-api.jar
- ]]></notes>
- <sha1>062142702a1ee607dff38f95a7a1d9c976f510f0</sha1>
- <cpe>cpe:/a:apache_tomcat:apache_tomcat:8.0.33</cpe>
- </suppress>
-
- <suppress>
- <notes><![CDATA[
- file name: tomcat-8.0.33-tomcat-jni.jar
- ]]></notes>
- <sha1>99057ad36cbb2c54e02347142348b15b4fec6673</sha1>
- <cpe>cpe:/a:apache:tomcat:8.0.33</cpe>
- </suppress>
-
- <suppress>
- <notes><![CDATA[
- file name: tomcat-8.0.33-tomcat-jni.jar
- ]]></notes>
- <sha1>99057ad36cbb2c54e02347142348b15b4fec6673</sha1>
- <cpe>cpe:/a:apache_tomcat:apache_tomcat:8.0.33</cpe>
- </suppress>
-
- <suppress>
- <notes><![CDATA[
- file name: tomcat-8.0.33-catalina-ha.jar
- ]]></notes>
- <sha1>850454212c5971327d29d27e3ad4787bc526f399</sha1>
- <cpe>cpe:/a:apache:tomcat:8.0.33</cpe>
- </suppress>
-
- <suppress>
- <notes><![CDATA[
- file name: tomcat-8.0.33-catalina-ha.jar
- ]]></notes>
- <sha1>850454212c5971327d29d27e3ad4787bc526f399</sha1>
- <cpe>cpe:/a:apache_tomcat:apache_tomcat:8.0.33</cpe>
- </suppress>
-
- <suppress>
- <notes><![CDATA[
- file name: tomcat-8.0.33-tomcat-util.jar
- ]]></notes>
- <sha1>43e398ba63953add8d93e3806bfd686fec02d8dc</sha1>
- <cpe>cpe:/a:apache:tomcat:8.0.33</cpe>
- </suppress>
-
- <suppress>
- <notes><![CDATA[
- file name: tomcat-8.0.33-tomcat-coyote.jar
- ]]></notes>
- <sha1>4430c9a8d27d4025a5f5e4795d5755e0d3522844</sha1>
- <cpe>cpe:/a:apache:tomcat:8.0.33</cpe>
- </suppress>
-
- <suppress>
- <notes><![CDATA[
- file name: tomcat-8.0.33-catalina-tribes.jar
- ]]></notes>
- <sha1>5eea23acedd7e14fe5d4c10bc1653d203b434c02</sha1>
- <cpe>cpe:/a:apache:tomcat:8.0.33</cpe>
- </suppress>
-
-
- <suppress>
- <notes><![CDATA[
- file name: tomcat-8.0.33-tomcat-util-scan.jar
- ]]></notes>
- <sha1>fe6f5cb85c3c13a84f38474cae0b674b3e6f3c6e</sha1>
- <cpe>cpe:/a:apache:tomcat:8.0.33</cpe>
- </suppress>
-
- <suppress>
- <notes><![CDATA[
- file name: tomcat-extras-8.0.33-tomcat-juli.jar
- ]]></notes>
- <sha1>03ef654197732568e2568962d1b0ac6aef8a6bf7</sha1>
- <cpe>cpe:/a:apache:tomcat:8.0.33</cpe>
- </suppress>
-
- <suppress>
- <notes><![CDATA[
- file name: tomcat-extras-8.0.33-tomcat-juli-adapters.jar
- ]]></notes>
- <sha1>76c82071b5dec0b9a2891da07e04596780243933</sha1>
- <cpe>cpe:/a:apache:tomcat:8.0.33</cpe>
- </suppress>
-
- <suppress><!-- This concerns Wordpress only-->
- <notes><![CDATA[
- file name: fontbox-1.8.5.jar
- ]]></notes>
- <sha1>17d32ff4cf06bfaa1ca48a1100108728d72228f0</sha1>
- <cpe>cpe:/a:font_project:font:1.8.5</cpe>
+ <!-- These CVEs don't concern current Tomcat versions -->
+ <suppress>
+ <notes><![CDATA[
+ This suppresses specific Tomcat CVEs
+ ]]></notes>
+ <filePath regex="true">.*\\catalina\\lib\\.*\.jar</filePath>
+ <cve>CVE-2013-2185</cve>
+ <cve>CVE-2009-2696</cve>
+ <cve>CVE-2007-5461</cve>
+ <cve>CVE-2002-0493</cve>
</suppress>
- <suppress><!-- This concerns Wordpress only-->
- <notes><![CDATA[
- file name: fontbox-1.8.5.jar
- ]]></notes>
- <sha1>17d32ff4cf06bfaa1ca48a1100108728d72228f0</sha1>
- <cve>CVE-2015-7683</cve>
+ <suppress><!-- This concerns Wordpress only-->
+ <notes><![CDATA[
+ This suppresses a specific fontbox cve
+ ]]></notes>
+ <filePath regex="true">.*\bfontbox-1.8.11\.jar</filePath>
+ <cve>CVE-2015-7683</cve>
</suppress>
<suppress><!-- The classes OFBiz uses are not concerned (no UI) -->