Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: update suppressions #195

Merged
merged 1 commit into from
Jan 3, 2024
Merged

chore: update suppressions #195

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 16 additions & 28 deletions owasp-suppressions.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,34 +1,22 @@
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress>
<notes><![CDATA[
<suppress>
<notes><![CDATA[
Any hypertrace dep
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.hypertrace\..*@.*$</packageUrl>
<cpe>cpe:/a:grpc:grpc</cpe>
<cpe>cpe:/a:service_project:service</cpe>
<cpe>cpe:/a:utils_project:utils</cpe>
<cpe>cpe:/a:processing:processing</cpe>
</suppress>
<suppress until="2023-11-30Z">
<notes><![CDATA[
This vulnerability is disputed, with the argument that SSL configuration is the responsibility of the client rather
than the transport. The change in default is under consideration for the next major Netty release, revisit then.
Regardless, our client (which is what brings in this dependency) enables the concerned feature, hostname verification
Ref:
https://github.com/grpc/grpc-java/issues/10033
https://github.com/netty/netty/issues/8537#issuecomment-1527896917
<packageUrl regex="true">^pkg:maven/org\.hypertrace\..*@.*$</packageUrl>
<cpe>cpe:/a:grpc:grpc</cpe>
<cpe>cpe:/a:service_project:service</cpe>
<cpe>cpe:/a:utils_project:utils</cpe>
<cpe>cpe:/a:processing:processing</cpe>
</suppress>
<suppress until="2024-01-31Z">
<notes><![CDATA[
Legitimate vulnerability, but unlikely to be exploited in practice as issues are with args
that are not under user control like radix. Expect the severity to be revised, but revisit
once fix is released. Ref: https://github.com/seancfoley/IPAddress/issues/118
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.netty/netty.*@.*$</packageUrl>
<vulnerabilityName>CVE-2023-4586</vulnerabilityName>
</suppress>
<suppress until="2023-12-31Z">
<notes><![CDATA[
This CVE (rapid RST) is already mitigated as our servers aren't directly exposed, but it's also
addressed in 1.59.1, which the CVE doesn't reflect (not all grpc impls versions are exactly aligned).
Ref: https://github.com/grpc/grpc-java/pull/10675
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.grpc/grpc\-.*@.*$</packageUrl>
<cve>CVE-2023-44487</cve>
</suppress>
<packageUrl regex="true">^pkg:maven/com\.github\.seancfoley/ipaddress@.*$</packageUrl>
<vulnerabilityName>CVE-2023-50570</vulnerabilityName>
</suppress>
</suppressions>