android/test/test-suppression.xml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
    <!--
    CVEs in the e2e project are deemed less severe than CVEs in the main projects as CVEs in the e2e
    project doesn't affect release or debug versions of the app.
    -->
    <suppress until="2023-06-01Z">
        <notes><![CDATA[
        This CVE is tracked externally and is therefore suppressed in the automatic audit checks.
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/com\.google\.protobuf/protobuf\-java@.*$</packageUrl>
        <cve>CVE-2022-3171</cve>
        <cve>CVE-2022-3509</cve>
        <cve>CVE-2022-3510</cve>
        <cve>CVE-2021-22569</cve>
    </suppress>
    <suppress until="2023-06-01Z">
        <notes><![CDATA[
        These CVEs affects the Apache Commons Net's FTP client that this app doesn't use.
        https://www.openwall.com/lists/oss-security/2022/12/03/1

        File names:
        - commons-beanutils-1.9.4.jar
        - commons-collections-3.2.2.jar
        - commons-digester-2.1.jar
        - commons-logging-1.2.jar
        - commons-validator-1.7.jar
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/commons\-.*/commons\-.*@.*$</packageUrl>
        <cve>CVE-2021-37533</cve>
    </suppress>
    <suppress until="2023-06-01Z">
        <notes><![CDATA[
        This CVE is tracked externally and is therefore suppressed in the automatic audit checks.
        https://nvd.nist.gov/vuln/detail/CVE-2021-29425

        File name: commons-io-2.4.jar
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/commons\-io/commons\-io@.*$</packageUrl>
        <cve>CVE-2021-29425</cve>
    </suppress>
    <suppress until="2023-06-01Z">
        <notes><![CDATA[
        These CVEs are tracked externally and is therefore suppressed in the automatic audit checks.
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/io\.netty/netty\-.*@.*$</packageUrl>
        <cve>CVE-2021-37136</cve>
        <cve>CVE-2021-37137</cve>
        <cve>CVE-2021-43797</cve>
        <cve>CVE-2021-21295</cve>
        <cve>CVE-2021-21409</cve>
        <cve>CVE-2021-21290</cve>
        <cve>CVE-2022-24823</cve>
        <cve>CVE-2022-41881</cve>
        <cve>CVE-2022-41915</cve>
    </suppress>
    <suppress until="2023-06-01Z">
        <notes><![CDATA[
        This CVE is tracked externally and is therefore suppressed in the automatic audit checks.
        https://nvd.nist.gov/vuln/detail/CVE-2022-25647

        File name: gson-2.8.6.jar
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/com\.google\.code\.gson/gson@.*$</packageUrl>
        <cve>CVE-2022-25647</cve>
    </suppress>
    <suppress until="2023-06-01Z">
        <notes><![CDATA[
        This CVE only affect Multiplatform Gradle Projects, which this project is not.
        https://nvd.nist.gov/vuln/detail/CVE-2022-24329
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.jetbrains\.kotlin/kotlin\-stdlib.*@.*$</packageUrl>
        <cve>CVE-2022-24329</cve>
    </suppress>
    <suppress until="2023-06-01Z">
        <notes><![CDATA[
        This CVE is limited to processing of screenshots, which this app doesn't use.
        https://nvd.nist.gov/vuln/detail/CVE-2021-4277

        File name: legacy-support-core-utils-1.0.0.aar
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/androidx\.legacy/legacy\-support\-core\-utils@.*$</packageUrl>
        <cve>CVE-2021-4277</cve>
    </suppress>
    <suppress until="2023-06-01Z">
        <notes><![CDATA[
        This CVE is limited to processing of screenshots, which this app doesn't use.
        https://nvd.nist.gov/vuln/detail/CVE-2021-4277

        File name: common-30.3.1.jar
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/com\.android\.tools/common@.*$</packageUrl>
        <cve>CVE-2021-4277</cve>
    </suppress>
    <suppress until="2024-06-01Z">
        <notes><![CDATA[
        This CVE only affect the leakCanary build type which is limited to memory leak testing etc.
        This will most likely be solved by bumping to a future version of the leakcanary dependency
        where a fixed version of okio is used.
        https://nvd.nist.gov/vuln/detail/CVE-2023-3635
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/com\.squareup\.okio/okio.*@.*$</packageUrl>
        <cve>CVE-2023-3635</cve>
    </suppress>
    <suppress until="2023-12-01Z">
        <notes><![CDATA[
        This CVE only affect certain test cases so suppressing until patched.
        https://nvd.nist.gov/vuln/detail/CVE-2023-3782
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/com\.squareup\.okhttp3/.*@.*$</packageUrl>
        <cve>CVE-2023-3782</cve>
    </suppress>
</suppressions>