owasp-suppressions.xml

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
  <suppress>
    <notes><![CDATA[
   Any hypertrace dep
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.hypertrace\..*@.*$</packageUrl>
    <cpe>cpe:/a:grpc:grpc</cpe>
    <cpe>cpe:/a:utils_project:utils</cpe>
  </suppress>
  <suppress until="2023-12-31Z">
    <notes><![CDATA[
  This vulnerability is disputed, with the argument that SSL configuration is the responsibility of the client rather
  than the transport. The change in default is under consideration for the next major Netty release, revisit then.
  Regardless, our client (which is what brings in this dependency) enables the concerned feature, hostname verification
  Ref:
  https://github.com/grpc/grpc-java/issues/10033
  https://github.com/netty/netty/issues/8537#issuecomment-1527896917
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/io\.netty/netty.*@.*$</packageUrl>
    <vulnerabilityName>CVE-2023-4586</vulnerabilityName>
  </suppress>
  <suppress until="2023-12-31Z">
    <notes><![CDATA[
   This CVE (rapid RST) is already mitigated as our servers aren't directly exposed, but it's also
   addressed in 1.59.1, which the CVE doesn't reflect (not all grpc impls versions are exactly aligned).
   Ref: https://github.com/grpc/grpc-java/pull/10675
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/io\.grpc/grpc\-.*@.*$</packageUrl>
    <cve>CVE-2023-44487</cve>
  </suppress>
</suppressions>