android/config/dependency-check-suppression.xml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
    <suppress until="2025-02-01Z">
        <notes><![CDATA[
        This CVE only affect Multiplatform Gradle Projects, which this project is not.
        https://nvd.nist.gov/vuln/detail/CVE-2022-24329
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.jetbrains\.kotlin/kotlin\-stdlib.*@.*$</packageUrl>
        <cve>CVE-2022-24329</cve>
    </suppress>
    <suppress until="2024-12-01Z">
        <notes><![CDATA[
          This CVE only affect programs using loadXML and is derived from using ksp.
          We do not use the loadXML, ksp is used to generate navigation paths in our code
          and not for processesing any user input.
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/com\.google\.devtools\.ksp/symbol\-processing.*@.*$</packageUrl>
        <cve>CVE-2018-1000840</cve>
    </suppress>
    <suppress until="2024-12-01Z">
        <notes><![CDATA[
            False-positive only affecting javascript gRPC packages.
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/io\.grpc/protoc\-gen\-grpc\-kotlin@.*$</packageUrl>
        <cve>CVE-2020-7768</cve>
    </suppress>
    <suppress until="2024-12-01Z">
        <notes><![CDATA[
            No impact on this app since it uses UDS rather than HTTP2.
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/io\.grpc/.*@.*$</packageUrl>
        <cve>CVE-2023-32732</cve>
        <cve>CVE-2023-33953</cve>
        <cve>CVE-2023-44487</cve>
    </suppress>
    <suppress until="2024-12-26Z">
        <notes><![CDATA[
            False-positive related to a NodeJS library and not the one we use.
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/commons\-validator/commons\-validator@.*$</packageUrl>
        <cve>CVE-2021-3765</cve>
    </suppress>
    <suppress until="2024-12-01Z">
        <notes><![CDATA[
            Denial of service using protobuf.
            Should not be applicable since client and server are always in sync and we are only
            communicating locally over UDS.
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/com\.google\.protobuf/protobuf-.*@.*$</packageUrl>
        <cve>CVE-2024-7254</cve>
    </suppress>
    <suppress until="2025-01-04Z">
        <notes><![CDATA[
            No impact since the app doesn't process externally crafted XML.
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/commons-io/commons-io@.*$</packageUrl>
        <cve>CVE-2024-47554</cve>
    </suppress>
</suppressions>