global-suppressions.xml

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
  <suppress>
    <notes><![CDATA[
   Any hypertrace dep
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.hypertrace\..*@.*$</packageUrl>
    <cpe>cpe:/a:grpc:grpc</cpe>
    <cpe>cpe:/a:utils_project:utils</cpe>
    <cpe>cpe:/a:processing:processing</cpe>
    <cpe>cpe:/a:avro_project:avro</cpe>
  </suppress>
  <suppress until="2024-12-31Z">
    <notes><![CDATA[
   This CVE is declared fixed from 9.4.52, but the vuln db is not reflecting that. Suppress that specific version until
   db is updated.
   Ref:
   https://github.com/eclipse/jetty.project/security/advisories/GHSA-3gh6-v5v9-6v9j
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty/jetty\-servlets@9.4.5[3-9]\..*$</packageUrl>
    <vulnerabilityName>CVE-2023-36479</vulnerabilityName>
  </suppress>
  <suppress>
    <notes><![CDATA[
   This is a low severity (<4) vuln with no fix released supported in jetty 9. Revisit on jetty upgrade.
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty/jetty.*@9.*$</packageUrl>
    <vulnerabilityName>CVE-2024-6763</vulnerabilityName>
  </suppress>
  <suppress>
    <notes><![CDATA[
   Wire android app not a match for squareup's wire packages
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/com\.squareup\.wire/wire\-.*@.*$</packageUrl>
    <cpe>cpe:/a:wire:wire</cpe>
  </suppress>
  <suppress>
    <notes><![CDATA[
   This CVE is a FP - it only impacts go projects.
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.apache\.(flink|parquet)/(flink|parquet)\-avro@.*$
    </packageUrl>
    <cve>CVE-2023-37475</cve>
  </suppress>
  <suppress>
    <notes><![CDATA[
    FP. opentelemetry-exporter-prometheus matches with prometheus:prometheus
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/io\.opentelemetry/opentelemetry\-exporter\-prometheus@.*$
    </packageUrl>
    <cpe>cpe:/a:prometheus:prometheus</cpe>
  </suppress>
  <suppress>
    <notes><![CDATA[
   Pinot packages being matched as Avro
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.apache\.pinot/.*@.*$</packageUrl>
    <cpe>cpe:/a:avro_project:avro</cpe>
  </suppress>
  <suppress>
    <notes><![CDATA[
    Pinot mismatches
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.apache\.pinot/.*@.*$</packageUrl>
    <cpe>cpe:/a:apache:avro</cpe>
    <cpe>cpe:/a:tasks:tasks</cpe>
    <cpe>cpe:/a:apache:thrift</cpe>
  </suppress>
  <suppress>
    <notes><![CDATA[
   CVE-2024-29133, CVE-2024-29131 only impacts commons-configuration 2+, which is already fixed. Commons configuration 1 is a different artifact and unimpacted.

   ]]></notes>
    <packageUrl regex="true">^pkg:maven/commons\-configuration/commons\-configuration@1\..*$
    </packageUrl>
    <vulnerabilityName>CVE-2024-29133</vulnerabilityName>
    <vulnerabilityName>CVE-2024-29131</vulnerabilityName>
  </suppress>
  <suppress>
    <notes><![CDATA[
    This is a meaningless CVE and disputed. It highlights a method that throws a NPE when
    called with null.
    Ref: https://www.joda.org/joda-time/security.html
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/joda\-time/joda\-time@.*$</packageUrl>
    <vulnerabilityName>CVE-2024-23080</vulnerabilityName>
  </suppress>
  <suppress>
    <notes><![CDATA[
    Parquet Jackson shades this version of jackson and has no newer release. This is an invalid CVE regardless,
    but is "fixed" in newer versions so we're only suppressing this specific shaded version. If a new
    parqet is releeased, this should be removed. https://github.com/FasterXML/jackson-databind/issues/3972
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@2.13.4.2$
    </packageUrl>
    <cve>CVE-2023-35116</cve>
  </suppress>
  <suppress>
    <notes><![CDATA[
     This CVE specifically impacts quartz-jobs, not quartz itself. However they share a CPE and thus
     dependency check can't disambiguate them.
     Ref: https://github.com/jeremylong/DependencyCheck/issues/5862

     It's also disputed (but we're only excluding the unimpacted jar regardless).

   ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.quartz\-scheduler/quartz@.*$</packageUrl>
    <cve>CVE-2023-39017</cve>
  </suppress>
  <suppress>
    <notes><![CDATA[
    These are meaningless CVEs and disputed. They highlight a method that throws a NPE when
    called with null.

    Ref: https://www.threeten.org/threetenbp/security.html
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.threeten/threetenbp@.*$</packageUrl>
    <cve>CVE-2024-23081</cve>
    <cve>CVE-2024-23082</cve>
  </suppress>
  <suppress>
    <notes><![CDATA[
    CVE indicates 19.11 is a fixed version, but incorrectly matches it
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/com\.graphql\-java/graphql\-java@19\.11$</packageUrl>
    <vulnerabilityName>CVE-2024-40094</vulnerabilityName>
  </suppress>
  <suppress>
    <notes><![CDATA[
   Jetty 11.x is EOL - official fix only available in 12.x for these CVEs
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty/jetty\-.*@11\..*$</packageUrl>
    <cve>CVE-2024-8184</cve>
    <cve>CVE-2024-6763</cve>
    <cve>CVE-2025-11143</cve>
  </suppress>
  <suppress>
    <notes><![CDATA[
   file name: logback-core-1.2.13.jar
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/ch\.qos\.logback/logback-core@.*$</packageUrl>
    <vulnerabilityName>CVE-2024-12798</vulnerabilityName>
  </suppress>
  <suppress>
   <notes><![CDATA[
   file name: micrometer-registry-prometheus-simpleclient-1.14.4.jar
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/io\.micrometer/micrometer-registry-prometheus-simpleclient@.*$</packageUrl>
   <cpe>cpe:/a:prometheus:prometheus</cpe>
</suppress>
</suppressions>