RET-0000: Suppressing more issues with no upgrades

hmcts · Oct 25, 2023 · a26f043 · a26f043
1 parent 9a5d978
commit a26f043
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 43 deletions.
diff --git a/build.gradle b/build.gradle
@@ -182,7 +182,7 @@ def versions = [
   junitPlatform   : '1.9.2',
   reformLogging   : '5.1.9',
   serenity        : '3.1.20',
-  tomcat          : '9.0.80'
+  tomcat          : '9.0.82'
 ]
 
 ext.libraries = [

diff --git a/config/owasp/suppressions.xml b/config/owasp/suppressions.xml
@@ -15,59 +15,24 @@
     <cve>CVE-2023-35116</cve>
   </suppress>
   <suppress>
-    <notes><![CDATA[
-   file name: netty-handler-4.1.97.Final.jar
-   ]]></notes>
-    <packageUrl regex="true">^pkg:maven/io\.netty/netty\-handler@.*$</packageUrl>
-    <vulnerabilityName>CVE-2023-4586</vulnerabilityName>
-  </suppress>
-  <suppress>
-    <notes><![CDATA[
-   file name: snakeyaml-1.30.jar
-   ]]></notes>
-    <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
-    <vulnerabilityName>CVE-2022-1471</vulnerabilityName>
+    <notes>
+      Affects azure-messaging-servicebus netty packages.
+      Upgrades are either still in beta or have not been used so suppressing for now.
+    </notes>
+    <cve>CVE-2023-44487</cve>
+    <cve>CVE-2023-4586</cve>
   </suppress>
   <suppress>
     <notes><![CDATA[
    file name: snakeyaml-1.30.jar
    ]]></notes>
     <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
+    <cve>CVE-2022-1471</cve>
     <cve>CVE-2022-25857</cve>
-  </suppress>
-  <suppress>
-    <notes><![CDATA[
-   file name: snakeyaml-1.30.jar
-   ]]></notes>
-    <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
     <cve>CVE-2022-38749</cve>
-  </suppress>
-  <suppress>
-    <notes><![CDATA[
-   file name: snakeyaml-1.30.jar
-   ]]></notes>
-    <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
     <cve>CVE-2022-38751</cve>
-  </suppress>
-  <suppress>
-    <notes><![CDATA[
-   file name: snakeyaml-1.30.jar
-   ]]></notes>
-    <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
     <cve>CVE-2022-38752</cve>
-  </suppress>
-  <suppress>
-    <notes><![CDATA[
-   file name: snakeyaml-1.30.jar
-   ]]></notes>
-    <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
     <cve>CVE-2022-41854</cve>
-  </suppress>
-  <suppress>
-    <notes><![CDATA[
-   file name: snakeyaml-1.30.jar
-   ]]></notes>
-    <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
     <cve>CVE-2022-38750</cve>
   </suppress>
   <suppress>