Merge branch 'update-android-suppressions'

2 files changed, 26 insertions, 21 deletions

diff --git a/android/config/dependency-check-suppression.xml b/android/config/dependency-check-suppression.xml
index 5415813d1a..589b5d5317 100644
--- a/android/config/dependency-check-suppression.xml
+++ b/android/config/dependency-check-suppression.xml
@@ -8,17 +8,7 @@
         <packageUrl regex="true">^pkg:maven/org\.jetbrains\.kotlin/kotlin\-stdlib.*@.*$</packageUrl>
         <cve>CVE-2022-24329</cve>
     </suppress>
-    <suppress until="2024-06-01Z">
-        <notes><![CDATA[
-        This CVE only affect the leakCanary build type which is limited to memory leak testing etc.
-        This will most likely be solved by bumping to a future version of the leakcanary dependency
-        where a fixed version of okio is used.
-        https://nvd.nist.gov/vuln/detail/CVE-2023-3635
-        ]]></notes>
-        <packageUrl regex="true">^pkg:maven/com\.squareup\.okio/okio@.*$</packageUrl>
-        <cve>CVE-2023-3635</cve>
-    </suppress>
-    <suppress until="2024-06-01Z">
+    <suppress until="2024-09-01Z">
         <notes><![CDATA[
           This CVE only affect programs using loadXML and is derived from using ksp.
           We do not use the loadXML, ksp is used to generate navigation paths in our code
@@ -35,4 +25,20 @@
         <packageUrl regex="true">^pkg:maven/androidx\.test\.services/storage@.*$</packageUrl>
         <cve>CVE-2014-9152</cve>
     </suppress>
+    <suppress until="2024-12-01Z">
+        <notes><![CDATA[
+            False-positive only affecting javascript gRPC packages.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/io\.grpc/protoc\-gen\-grpc\-kotlin@.*$</packageUrl>
+        <cve>CVE-2020-7768</cve>
+    </suppress>
+    <suppress until="2024-12-01Z">
+        <notes><![CDATA[
+            No impact on this app since it uses UDS rather than HTTP2.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/io\.grpc/.*@.*$</packageUrl>
+        <cve>CVE-2023-32732</cve>
+        <cve>CVE-2023-33953</cve>
+        <cve>CVE-2023-44487</cve>
+    </suppress>
 </suppressions>
diff --git a/android/test/test-suppression.xml b/android/test/test-suppression.xml
index 2e379e9062..fac53625c9 100644
--- a/android/test/test-suppression.xml
+++ b/android/test/test-suppression.xml
@@ -1,15 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-    <suppress until="2024-06-01Z">
-        <notes><![CDATA[
-        This CVE only affect the leakCanary build type which is limited to memory leak testing etc.
-        This will most likely be solved by bumping to a future version of the leakcanary dependency
-        where a fixed version of okio is used.
-        https://nvd.nist.gov/vuln/detail/CVE-2023-3635
-        ]]></notes>
-        <packageUrl regex="true">^pkg:maven/com\.squareup\.okio/okio.*@.*$</packageUrl>
-        <cve>CVE-2023-3635</cve>
-    </suppress>
     <suppress until="2024-09-01Z">
         <notes><![CDATA[
             False-positive related to Drupal rather than Android development.
@@ -18,4 +8,13 @@
         <packageUrl regex="true">^pkg:maven/androidx\.test\.services/storage@.*$</packageUrl>
         <cve>CVE-2014-9152</cve>
     </suppress>
+    <suppress until="2024-12-01Z">
+        <notes><![CDATA[
+            No impact on this app since it uses UDS rather than HTTP2.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/io\.grpc/grpc.*-stub@.*$</packageUrl>
+        <cve>CVE-2023-32732</cve>
+        <cve>CVE-2023-33953</cve>
+        <cve>CVE-2023-44487</cve>
+    </suppress>
 </suppressions>