corda/.ci/dependency-checker/suppressedLibraries.xml

42 lines
1.7 KiB
XML
Raw Normal View History

<?xml version="1.0" encoding="UTF-8" ?>
<!--
~ R3 Proprietary and Confidential
~
~ Copyright (c) 2018 R3 Limited. All rights reserved.
~
~ The intellectual and technical concepts contained herein are proprietary to R3 and its suppliers and are protected by trade secret law.
~
~ Distribution of this file or any portion thereof via any medium without the express permission of R3 is strictly prohibited.
-->
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
<!-- Example of a suppressed library -->
<!-- The suppress node can be generated from the HTML report by using the 'suppress' option for each vulnerability found
<suppress>
<notes><![CDATA[
file name: some.jar
]]></notes>
<sha1>66734244CE86857018B023A8C56AE0635C56B6A1</sha1>
<cpe>cpe:/a:apache:struts:2.0.0</cpe>
</suppress>
-->
<suppress>
<!-- Vulnerability when using SSLv2 Hello messages. Corda uses TLS1.2-->
<notes><![CDATA[file name: catalyst-netty-1.1.2.jar]]></notes>
<gav regex="true">^io\.atomix\.catalyst:catalyst-netty:.*$</gav>
<cve>CVE-2014-3488</cve>
</suppress>
<suppress>
<!-- Vulnerability to LDAP poisoning attacks. Corda doesn't use LDAP-->
<notes><![CDATA[file name: groovy-all-1.8.9.jar]]></notes>
<gav regex="true">^commons-cli:commons-cli:.*$</gav>
<cve>CVE-2016-6497</cve>
</suppress>
<suppress>
<!-- Java objects serialization disabled in Corda -->
<notes><![CDATA[file name: groovy-all-1.8.9.jar]]></notes>
<gav regex="true">^commons-cli:commons-cli:.*$</gav>
<cve>CVE-2015-3253</cve>
</suppress>
</suppressions>