blob: adebd4c116dc3d5982fae90ad3b8b03e26cb28dc (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
|
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<!--
CVEs in the e2e project are deemed less severe than CVEs in the main projects as CVEs in the e2e
project doesn't affect release or debug versions of the app.
-->
<suppress until="2023-06-01Z">
<notes><![CDATA[
This CVE is tracked externally and is therefore suppressed in the automatic audit checks.
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.google\.protobuf/protobuf\-java@.*$</packageUrl>
<cve>CVE-2022-3171</cve>
<cve>CVE-2022-3509</cve>
<cve>CVE-2022-3510</cve>
<cve>CVE-2021-22569</cve>
</suppress>
<suppress until="2023-06-01Z">
<notes><![CDATA[
These CVEs affects the Apache Commons Net's FTP client that this app doesn't use.
https://www.openwall.com/lists/oss-security/2022/12/03/1
File names:
- commons-beanutils-1.9.4.jar
- commons-collections-3.2.2.jar
- commons-digester-2.1.jar
- commons-logging-1.2.jar
- commons-validator-1.7.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/commons\-.*/commons\-.*@.*$</packageUrl>
<cve>CVE-2021-37533</cve>
</suppress>
<suppress until="2023-06-01Z">
<notes><![CDATA[
This CVE is tracked externally and is therefore suppressed in the automatic audit checks.
https://nvd.nist.gov/vuln/detail/CVE-2021-29425
File name: commons-io-2.4.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/commons\-io/commons\-io@.*$</packageUrl>
<cve>CVE-2021-29425</cve>
</suppress>
<suppress until="2023-06-01Z">
<notes><![CDATA[
These CVEs are tracked externally and is therefore suppressed in the automatic audit checks.
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.netty/netty\-.*@.*$</packageUrl>
<cve>CVE-2021-37136</cve>
<cve>CVE-2021-37137</cve>
<cve>CVE-2021-43797</cve>
<cve>CVE-2021-21295</cve>
<cve>CVE-2021-21409</cve>
<cve>CVE-2021-21290</cve>
<cve>CVE-2022-24823</cve>
<cve>CVE-2022-41881</cve>
<cve>CVE-2022-41915</cve>
</suppress>
<suppress until="2023-06-01Z">
<notes><![CDATA[
This CVE is tracked externally and is therefore suppressed in the automatic audit checks.
https://nvd.nist.gov/vuln/detail/CVE-2022-25647
File name: gson-2.8.6.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.google\.code\.gson/gson@.*$</packageUrl>
<cve>CVE-2022-25647</cve>
</suppress>
<suppress until="2023-06-01Z">
<notes><![CDATA[
This CVE only affect Multiplatform Gradle Projects, which this project is not.
https://nvd.nist.gov/vuln/detail/CVE-2022-24329
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.jetbrains\.kotlin/kotlin\-stdlib.*@.*$</packageUrl>
<cve>CVE-2022-24329</cve>
</suppress>
<suppress until="2023-06-01Z">
<notes><![CDATA[
This CVE is limited to processing of screenshots, which this app doesn't use.
https://nvd.nist.gov/vuln/detail/CVE-2021-4277
File name: legacy-support-core-utils-1.0.0.aar
]]></notes>
<packageUrl regex="true">^pkg:maven/androidx\.legacy/legacy\-support\-core\-utils@.*$</packageUrl>
<cve>CVE-2021-4277</cve>
</suppress>
<suppress until="2023-06-01Z">
<notes><![CDATA[
This CVE is limited to processing of screenshots, which this app doesn't use.
https://nvd.nist.gov/vuln/detail/CVE-2021-4277
File name: common-30.3.1.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.android\.tools/common@.*$</packageUrl>
<cve>CVE-2021-4277</cve>
</suppress>
<suppress until="2024-06-01Z">
<notes><![CDATA[
This CVE only affect the leakCanary build type which is limited to memory leak testing etc.
This will most likely be solved by bumping to a future version of the leakcanary dependency
where a fixed version of okio is used.
https://nvd.nist.gov/vuln/detail/CVE-2023-3635
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.squareup\.okio/okio.*@.*$</packageUrl>
<cve>CVE-2023-3635</cve>
</suppress>
<suppress until="2023-12-01Z">
<notes><![CDATA[
This CVE only affect certain test cases so suppressing until patched.
https://nvd.nist.gov/vuln/detail/CVE-2023-3782
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.squareup\.okhttp3/.*@.*$</packageUrl>
<cve>CVE-2023-3782</cve>
</suppress>
<suppress until="2024-09-01Z">
<notes><![CDATA[
False-positive related to Drupal rather than Android development.
https://nvd.nist.gov/vuln/detail/CVE-2014-9152
]]></notes>
<packageUrl regex="true">^pkg:maven/androidx\.test\.services/storage@.*$</packageUrl>
<cve>CVE-2014-9152</cve>
</suppress>
<suppress until="2024-05-01Z">
<notes><![CDATA[
Suppressing since the affected function isn't used in this project. No upstream fixes
are available at the time of adding this suppression.
https://nvd.nist.gov/vuln/detail/CVE-2024-23080
]]></notes>
<packageUrl regex="true">^pkg:maven/joda-time/joda-time@.*$</packageUrl>
<cve>CVE-2024-23080</cve>
</suppress>
</suppressions>
|
