diff options
| author | Albin <albin@mullvad.net> | 2022-12-08 12:02:00 +0100 |
|---|---|---|
| committer | Albin <albin@mullvad.net> | 2022-12-08 15:38:37 +0100 |
| commit | 8c6954d4c8d0638fe2b408c9147e56522cb79aa8 (patch) | |
| tree | c63536b3d957f5b778a5d70191fc1dfbdd48aaf7 /android | |
| parent | 93d313aae81be30285d097bd511944f1bb6b00cb (diff) | |
| download | mullvadvpn-8c6954d4c8d0638fe2b408c9147e56522cb79aa8.tar.xz mullvadvpn-8c6954d4c8d0638fe2b408c9147e56522cb79aa8.zip | |
Suppress CVEs in e2e project
Some of the CVEs doesn't affect the project and some will be tracked externally.
Diffstat (limited to 'android')
| -rw-r--r-- | android/e2e/e2e-suppression.xml | 60 |
1 files changed, 54 insertions, 6 deletions
diff --git a/android/e2e/e2e-suppression.xml b/android/e2e/e2e-suppression.xml index 4729d5da68..c29b32045c 100644 --- a/android/e2e/e2e-suppression.xml +++ b/android/e2e/e2e-suppression.xml @@ -1,11 +1,9 @@ <?xml version="1.0" encoding="UTF-8"?> <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd"> - <suppress> - <notes><![CDATA[ - This CVE only affect Multiplatform Gradle Projects, which this project is not. - ]]></notes> - <cve>CVE-2022-24329</cve> - </suppress> + <!-- + CVEs in the e2e project are deemed less severe than CVEs in the main projects as CVEs in the e2e + project doesn't affect release or debug versions of the app. + --> <suppress> <notes><![CDATA[ This CVE is a false positive as the description refers to a GO library (github.com/containers/storage). @@ -30,6 +28,15 @@ </suppress> <suppress> <notes><![CDATA[ + This CVE is tracked externally and is therefore suppressed in the automatic audit checks. + ]]></notes> + <packageUrl regex="true">^pkg:maven/com\.google\.protobuf/protobuf\-java@.*$</packageUrl> + <cve>CVE-2022-3171</cve> + <cve>CVE-2022-3509</cve> + <cve>CVE-2021-22569</cve> + </suppress> + <suppress> + <notes><![CDATA[ This CVE affects the Apache Commons Net's FTP client that this app doesn't use. https://www.openwall.com/lists/oss-security/2022/12/03/1 @@ -43,4 +50,45 @@ <packageUrl regex="true">^pkg:maven/commons\-.*/commons\-.*@.*$</packageUrl> <cve>CVE-2021-37533</cve> </suppress> + <suppress> + <notes><![CDATA[ + This CVE is tracked externally and is therefore suppressed in the automatic audit checks. + https://nvd.nist.gov/vuln/detail/CVE-2021-29425 + + File name: commons-io-2.4.jar + ]]></notes> + <packageUrl regex="true">^pkg:maven/commons\-io/commons\-io@.*$</packageUrl> + <cve>CVE-2021-29425</cve> + </suppress> + <suppress> + <notes><![CDATA[ + This CVE is tracked externally and is therefore suppressed in the automatic audit checks. + ]]></notes> + <packageUrl regex="true">^pkg:maven/io\.netty/netty\-.*@.*$</packageUrl> + <cve>CVE-2021-37136</cve> + <cve>CVE-2021-37137</cve> + <cve>CVE-2021-43797</cve> + <cve>CVE-2021-21295</cve> + <cve>CVE-2021-21409</cve> + <cve>CVE-2021-21290</cve> + <cve>CVE-2022-24823</cve> + </suppress> + <suppress> + <notes><![CDATA[ + This CVE is tracked externally and is therefore suppressed in the automatic audit checks. + https://nvd.nist.gov/vuln/detail/CVE-2022-25647 + + File name: gson-2.8.6.jar + ]]></notes> + <packageUrl regex="true">^pkg:maven/com\.google\.code\.gson/gson@.*$</packageUrl> + <cve>CVE-2022-25647</cve> + </suppress> + <suppress> + <notes><![CDATA[ + This CVE only affect Multiplatform Gradle Projects, which this project is not. + https://nvd.nist.gov/vuln/detail/CVE-2022-24329 + ]]></notes> + <packageUrl regex="true">^pkg:maven/org\.jetbrains\.kotlin/kotlin\-stdlib.*@.*$</packageUrl> + <cve>CVE-2022-24329</cve> + </suppress> </suppressions> |