diff options
| author | Jonatan Rhodin <jonatan.rhodin@mullvad.net> | 2024-09-23 17:13:49 +0200 |
|---|---|---|
| committer | David Göransson <david.goransson@mullvad.net> | 2024-09-24 16:14:55 +0200 |
| commit | e95642136871c5027c6793b0e0f3cbfe30859bfd (patch) | |
| tree | a3a98fecb17642df573fb8a1f7eae4d5acdd8c32 /android | |
| parent | 3568339ba1858e1bed059466882ddbc6f74f1550 (diff) | |
| download | mullvadvpn-e95642136871c5027c6793b0e0f3cbfe30859bfd.tar.xz mullvadvpn-e95642136871c5027c6793b0e0f3cbfe30859bfd.zip | |
Add suppressions for unintended CVEs
Diffstat (limited to 'android')
| -rw-r--r-- | android/build.gradle.kts | 6 | ||||
| -rw-r--r-- | android/config/dependency-check-suppression-agp-fixes.xml | 40 |
2 files changed, 45 insertions, 1 deletions
diff --git a/android/build.gradle.kts b/android/build.gradle.kts index a136aa6fd8..f62e00c87e 100644 --- a/android/build.gradle.kts +++ b/android/build.gradle.kts @@ -109,7 +109,11 @@ allprojects { configure<org.owasp.dependencycheck.gradle.extension.DependencyCheckExtension> { failBuildOnCVSS = 0F // All severity levels - suppressionFile = "${rootProject.projectDir}/config/dependency-check-suppression.xml" + suppressionFiles = + listOf( + "${rootProject.projectDir}/config/dependency-check-suppression.xml", + "${rootProject.projectDir}/config/dependency-check-suppression-agp-fixes.xml", + ) } configure<com.ncorti.ktfmt.gradle.KtfmtExtension> { diff --git a/android/config/dependency-check-suppression-agp-fixes.xml b/android/config/dependency-check-suppression-agp-fixes.xml new file mode 100644 index 0000000000..9f402e1ca9 --- /dev/null +++ b/android/config/dependency-check-suppression-agp-fixes.xml @@ -0,0 +1,40 @@ +<?xml version="1.0" encoding="UTF-8"?> +<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd"> + <suppress until="2024-12-01Z"> + <notes><![CDATA[ + This and all other supressions in this file are for dependencies only used for tests. + These should be excluded by the plugin but this behaviour is broken. + Added here until we can fix the plugin behaviour. + ]]></notes> + <packageUrl regex="true">^pkg:maven/io\.netty/.*@.*$</packageUrl> + <cve>CVE-2022-41881</cve> + <cve>CVE-2023-44487</cve> + <cve>CVE-2023-34462</cve> + <cve>CVE-2022-24823</cve> + <cve>CVE-2024-29025</cve> + <cve>CVE-2022-41915</cve> + </suppress> + <suppress until="2024-12-01Z"> + <notes><![CDATA[ + This and all other supressions in this file are for dependencies only used for tests. + These should be excluded by the plugin but this behaviour is broken. + Added here until we can fix the plugin behaviour. + ]]></notes> + <packageUrl regex="true">^pkg:maven/com\.google\.protobuf/.*@.*$</packageUrl> + <cve>CVE-2024-7254</cve> + <cve>CVE-2022-3171</cve> + <cve>CVE-2022-3510</cve> + <cve>CVE-2021-22569</cve> + </suppress> + <suppress until="2024-12-01Z"> + <notes><![CDATA[ + This and all other supressions in this file are for dependencies only used for tests. + These should be excluded by the plugin but this behaviour is broken. + Added here until we can fix the plugin behaviour. + ]]></notes> + <packageUrl regex="true">^pkg:maven/com.google.guava/guava@.*$</packageUrl> + <cve>CVE-2023-2976</cve> + <cve>CVE-2020-8908</cve> + </suppress> +</suppressions> + |