summaryrefslogtreecommitdiffhomepage
path: root/android/config/dependency-check-suppression.xml
blob: c7ec54a5e86d0e68a0699a0100cdb43596112edc (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
    <suppress until="2024-05-01Z">
        <notes><![CDATA[
        This CVE only part of the debugAndroidTestRuntimeClasspath so suppressing in automatic
        checks and tracking externally.

        File name: guava-28.2-android.jar
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
        <cve>CVE-2020-8908</cve>
    </suppress>
    <suppress until="2024-03-01Z">
        <notes><![CDATA[
        This CVE only part of the debugAndroidTestRuntimeClasspath so suppressing in automatic
        checks and tracking externally.

        Fix released in: https://github.com/google/guava/releases/tag/v32.0.0

        File name: guava-28.2-android.jar
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
        <cve>CVE-2023-2976</cve>
    </suppress>
    <suppress until="2024-05-01Z">
        <notes><![CDATA[
        This CVE only part of the debugAndroidTestRuntimeClasspath so suppressing in automatic
        checks and tracking externally.

        File name: jsoup-1.12.2.jar
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.jsoup/jsoup@.*$</packageUrl>
        <cve>CVE-2022-36033</cve>
        <cve>CVE-2021-37714</cve>
    </suppress>
    <suppress until="2024-05-01Z">
        <notes><![CDATA[
        This CVE only affect Multiplatform Gradle Projects, which this project is not.
        https://nvd.nist.gov/vuln/detail/CVE-2022-24329
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.jetbrains\.kotlin/kotlin\-stdlib.*@.*$</packageUrl>
        <cve>CVE-2022-24329</cve>
    </suppress>
    <suppress until="2024-06-01Z">
        <notes><![CDATA[
        This CVE only affect the leakCanary build type which is limited to memory leak testing etc.
        This will most likely be solved by bumping to a future version of the leakcanary dependency
        where a fixed version of okio is used.
        https://nvd.nist.gov/vuln/detail/CVE-2023-3635
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/com\.squareup\.okio/okio@.*$</packageUrl>
        <cve>CVE-2023-3635</cve>
    </suppress>
    <suppress until="2024-06-01Z">
        <notes><![CDATA[
          This CVE only affect programs using loadXML and is derived from using ksp.
          We do not use the loadXML, ksp is used to generate navigation paths in our code
          and not for processesing any user input.
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/com\.google\.devtools\.ksp/symbol\-processing.*@.*$</packageUrl>
        <cve>CVE-2018-1000840</cve>
    </suppress>
</suppressions>