svn commit: r1741416 [3/3] - in /ofbiz/trunk/tools/security/de
Locked
svn commit: r1741416 [3/3] - in /ofbiz/trunk/tools/security/de
 
|
Modified: ofbiz/trunk/tools/security/dependency-check/suppress.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/tools/security/dependency-check/suppress.xml?rev=1741416&r1=1741415&r2=1741416&view=diff ============================================================================== --- ofbiz/trunk/tools/security/dependency-check/suppress.xml (original) +++ ofbiz/trunk/tools/security/dependency-check/suppress.xml Thu Apr 28 11:51:08 2016 @@ -1,44 +1,42 @@ <?xml version="1.0" encoding="UTF-8"?> <suppressions xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression"> + <!-- Good examples here: https://jeremylong.github.io/DependencyCheck/general/suppression.html --> - <!-- to check the comments yourself, simply comment out the block/s you are interested in and use Dependency Check to get the related CVE/s --> - - <suppress><!-- OFBiz uses a more recent Tomcat version --> + <!-- To check the comments yourself, simply comment out the block/s you are interested in and use Dependency Check to get the related CVE/s --> + + <!-- OFBiz uses a more recent Tomcat version --> + <suppress> <notes><![CDATA[ - file name: annotations-api-3.0.jar - ]]></notes> + file name: annotations-api-3.0.jar + ]]></notes> <sha1>87925e57a90c75bd60e2fe4c3fdbcef592c00e48</sha1> <cpe>cpe:/a:apache:tomcat:3.0</cpe> </suppress> - - <suppress><!-- OFBiz uses a more recent Tomcat version --> + <suppress> <notes><![CDATA[ - file name: annotations-api-3.0.jar - ]]></notes> + file name: annotations-api-3.0.jar + ]]></notes> <sha1>87925e57a90c75bd60e2fe4c3fdbcef592c00e48</sha1> <cpe>cpe:/a:apache:tomcat:7.0.54</cpe> </suppress> - - <suppress><!-- OFBiz uses a more recent Tomcat version --> + <suppress> <notes><![CDATA[ file name: el-api-3.0.jar ]]></notes> <sha1>794cf8e8d615c6ac136835867aef2fee125bc74b</sha1> <cpe>cpe:/a:apache:tomcat:3.0</cpe> </suppress> - - <!-- About Tomcat 8.0.33 vulnerabilities (start with jsp-api-2.3.jar): I will ask why we have to put all those suppressions :/ - Note that CVE-2013-2185 is disputed by the Tomcat team, see OFBIZ-6752 for details --> - - <suppress> - <notes><![CDATA[ - file name: jsp-api-2.3.jar - ]]></notes> - <sha1>896e782956999c2632b3caa0caeb711720f28d7a</sha1> - <cpe>cpe:/a:apache:tomcat:8.0.33</cpe> + <suppress> + <notes><![CDATA[ + file name: jsp-api-2.3.jar + ]]></notes> + <filePath regex="true">.*\\base\\lib\\j2eespecs\\.*\.jar</filePath> + <cve>CVE-2013-2185</cve> + <cve>CVE-2009-2696</cve> + <cve>CVE-2007-5461</cve> + <cve>CVE-2002-0493</cve> </suppress> - - <suppress><!-- OFBiz uses a more recent Tomcat version --> + <suppress> <notes><![CDATA[ file name: servlet-api-3.1.jar ]]></notes> @@ -46,150 +44,24 @@ <cpe>cpe:/a:apache:tomcat:3.1</cpe> </suppress> - <suppress> - <notes><![CDATA[ - file name: tomcat-8.0.33-jasper.jar - ]]></notes> - <sha1>30525359ecc82c313a71e056adc917f952580f5e</sha1> - <cpe>cpe:/a:apache:tomcat:8.0.33</cpe> - </suppress> - - <suppress> - <notes><![CDATA[ - file name: tomcat-8.0.33-catalina.jar - ]]></notes> - <sha1>585795d972f59b19ed5a1ed94446b5a8750669c2</sha1> - <cpe>cpe:/a:apache_tomcat:apache_tomcat:8.0.33</cpe> - </suppress> - - <suppress> - <notes><![CDATA[ - file name: tomcat-8.0.33-catalina.jar - ]]></notes> - <sha1>585795d972f59b19ed5a1ed94446b5a8750669c2</sha1> - <cpe>cpe:/a:apache:tomcat:8.0.33</cpe> - </suppress> - - <suppress> - <notes><![CDATA[ - file name: tomcat-8.0.33-catalina.jar - ]]></notes> - <sha1>585795d972f59b19ed5a1ed94446b5a8750669c2</sha1> - <cpe>cpe:/a:apache:tomcat:8.0.33</cpe> - </suppress> - - - <suppress> - <notes><![CDATA[ - file name: tomcat-8.0.33-tomcat-api.jar - ]]></notes> - <sha1>062142702a1ee607dff38f95a7a1d9c976f510f0</sha1> - <cpe>cpe:/a:apache:tomcat:8.0.33</cpe> - </suppress> - - <suppress> - <notes><![CDATA[ - file name: tomcat-8.0.33-tomcat-api.jar - ]]></notes> - <sha1>062142702a1ee607dff38f95a7a1d9c976f510f0</sha1> - <cpe>cpe:/a:apache_tomcat:apache_tomcat:8.0.33</cpe> - </suppress> - - <suppress> - <notes><![CDATA[ - file name: tomcat-8.0.33-tomcat-jni.jar - ]]></notes> - <sha1>99057ad36cbb2c54e02347142348b15b4fec6673</sha1> - <cpe>cpe:/a:apache:tomcat:8.0.33</cpe> - </suppress> - - <suppress> - <notes><![CDATA[ - file name: tomcat-8.0.33-tomcat-jni.jar - ]]></notes> - <sha1>99057ad36cbb2c54e02347142348b15b4fec6673</sha1> - <cpe>cpe:/a:apache_tomcat:apache_tomcat:8.0.33</cpe> - </suppress> - - <suppress> - <notes><![CDATA[ - file name: tomcat-8.0.33-catalina-ha.jar - ]]></notes> - <sha1>850454212c5971327d29d27e3ad4787bc526f399</sha1> - <cpe>cpe:/a:apache:tomcat:8.0.33</cpe> - </suppress> - - <suppress> - <notes><![CDATA[ - file name: tomcat-8.0.33-catalina-ha.jar - ]]></notes> - <sha1>850454212c5971327d29d27e3ad4787bc526f399</sha1> - <cpe>cpe:/a:apache_tomcat:apache_tomcat:8.0.33</cpe> - </suppress> - - <suppress> - <notes><![CDATA[ - file name: tomcat-8.0.33-tomcat-util.jar - ]]></notes> - <sha1>43e398ba63953add8d93e3806bfd686fec02d8dc</sha1> - <cpe>cpe:/a:apache:tomcat:8.0.33</cpe> - </suppress> - - <suppress> - <notes><![CDATA[ - file name: tomcat-8.0.33-tomcat-coyote.jar - ]]></notes> - <sha1>4430c9a8d27d4025a5f5e4795d5755e0d3522844</sha1> - <cpe>cpe:/a:apache:tomcat:8.0.33</cpe> - </suppress> - - <suppress> - <notes><![CDATA[ - file name: tomcat-8.0.33-catalina-tribes.jar - ]]></notes> - <sha1>5eea23acedd7e14fe5d4c10bc1653d203b434c02</sha1> - <cpe>cpe:/a:apache:tomcat:8.0.33</cpe> - </suppress> - - - <suppress> - <notes><![CDATA[ - file name: tomcat-8.0.33-tomcat-util-scan.jar - ]]></notes> - <sha1>fe6f5cb85c3c13a84f38474cae0b674b3e6f3c6e</sha1> - <cpe>cpe:/a:apache:tomcat:8.0.33</cpe> - </suppress> - - <suppress> - <notes><![CDATA[ - file name: tomcat-extras-8.0.33-tomcat-juli.jar - ]]></notes> - <sha1>03ef654197732568e2568962d1b0ac6aef8a6bf7</sha1> - <cpe>cpe:/a:apache:tomcat:8.0.33</cpe> - </suppress> - - <suppress> - <notes><![CDATA[ - file name: tomcat-extras-8.0.33-tomcat-juli-adapters.jar - ]]></notes> - <sha1>76c82071b5dec0b9a2891da07e04596780243933</sha1> - <cpe>cpe:/a:apache:tomcat:8.0.33</cpe> - </suppress> - - <suppress><!-- This concerns Wordpress only--> - <notes><![CDATA[ - file name: fontbox-1.8.5.jar - ]]></notes> - <sha1>17d32ff4cf06bfaa1ca48a1100108728d72228f0</sha1> - <cpe>cpe:/a:font_project:font:1.8.5</cpe> + <!-- These CVEs don't concern current Tomcat versions --> + <suppress> + <notes><![CDATA[ + This suppresses specific Tomcat CVEs + ]]></notes> + <filePath regex="true">.*\\catalina\\lib\\.*\.jar</filePath> + <cve>CVE-2013-2185</cve> + <cve>CVE-2009-2696</cve> + <cve>CVE-2007-5461</cve> + <cve>CVE-2002-0493</cve> </suppress> - <suppress><!-- This concerns Wordpress only--> - <notes><![CDATA[ - file name: fontbox-1.8.5.jar - ]]></notes> - <sha1>17d32ff4cf06bfaa1ca48a1100108728d72228f0</sha1> - <cve>CVE-2015-7683</cve> + <suppress><!-- This concerns Wordpress only--> + <notes><![CDATA[ + This suppresses a specific fontbox cve + ]]></notes> + <filePath regex="true">.*\bfontbox-1.8.11\.jar</filePath> + <cve>CVE-2015-7683</cve> </suppress> <suppress><!-- The classes OFBiz uses are not concerned (no UI) --> |
«
Return to OFBiz - Commits
|
1 view|%1 views
| Free forum by Nabble | Edit this page |