Suppress CVEs for Solr and org.codehaus.jackson (#11030)

* Suppress CVEs for Solr and org.codehaus.jackson * add a comment
apache · Mar 24, 2021 · 83a0624 · 83a0624
1 parent f135d19
commit 83a0624
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
@@ -305,4 +305,24 @@
     <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/[email protected]$</packageUrl>
     <cve>CVE-2020-13949</cve>
   </suppress>
+  <suppress>
+     <!-- (ranger, ambari, and aliyun-oss) these vulnerabilities are legit, but their latest releases still use the vulnerable jackson version -->
+     <notes><![CDATA[
+     file name: jackson-xc-1.9.x.jar or jackson-jaxrs-1.9.x.jar
+     ]]></notes>
+     <packageUrl regex="true">^pkg:maven/org\.codehaus\.jackson/jackson-(xc|jaxrs)@1.9.*$</packageUrl>
+     <cve>CVE-2018-14718</cve>
+     <cve>CVE-2018-7489</cve>
+  </suppress>
+
+  <suppress>
+     <notes><![CDATA[
+     file name: solr-solrj-7.7.1.jar
+     ]]></notes>
+     <packageUrl regex="true">^pkg:maven/org\.apache\.solr/[email protected]$</packageUrl>
+     <cve>CVE-2020-13957</cve>
+     <cve>CVE-2019-17558</cve>
+     <cve>CVE-2019-0193</cve>
+     <cve>CVE-2020-13941</cve>
+  </suppress>
 </suppressions>