-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathsuppress.xml
37 lines (37 loc) · 2.36 KB
/
suppress.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress until="2023-10-02Z">
<notes><![CDATA[
File name: word-wrap:1.2.3
Suppressed for 5 months
As of 02/05/2023, word-wrap has not seen an update in 6 years. I suspect it is unlikely to receive any further updates.
I've suppressed the issue for 5 months to review it then. The dependancy is brought in via the dev dependancy `eslint`.
Dev dependancies are not packaged for live deployment so this should not pose immediate threat.
Link to issue: https://security.snyk.io/package/npm/word-wrap
]]></notes>
<packageUrl regex="true">pkg:npm/word-wrap@1.2.3</packageUrl>
<cve>CVE-2023-26115</cve>
<cpe>cpe:2.3:a:*:word-wrap:1.2.3:*:*:*:*:*:*:*</cpe>
</suppress>
<suppress until="2023-10-02Z">
<notes><![CDATA[
file name: msgpack5:4.5.1
Suppressed for 5 months
Vulnerability is believed to be a false postive as no issues are detected on NIST: https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Amsgpack5_project&cpe_product=cpe%3A%2F%3Amsgpack5_project%3Amsgpack5&cpe_version=cpe%3A%2F%3Amsgpack5_project%3Amsgpack5%3A4.5.1
The vulnerability exists prior to version 4.5.1
]]></notes>
<packageUrl>pkg:npm/msgpack5@4.5.1</packageUrl>
<cve>CVE-2021-21368</cve>
<cpe>cpe:2.3:a:*:msgpack5:4.5.1</cpe>
</suppress>
<suppress until="2023-10-02Z">
<notes><![CDATA[
file name: file-type:6.2.0
Suppressed for 5 months
Link to issue: https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Afile-type_project&cpe_product=cpe%3A%2F%3Afile-type_project%3Afile-type&cpe_version=cpe%3A%2F%3Afile-type_project%3Afile-type%3A6.2.0
The vulnerability exists prior to version 6.2.0, 5.2.0, 3.9.0.
All these version are being brought in via sonarqube-scanner sub-dependencies. Forcing a higher version of file-type is breaking the sonar implementation so will need to be fixed via a sonar update. We are currently using the highest version of sonarqube-scanner.
]]></notes>
<cve>CVE-2022-36313</cve>
</suppress>
</suppressions>