-
Task
-
Resolution: Done
-
Neutral
-
None
-
-
Empty show more show less
-
Empty show more show less
By now we're using a slightly dated version of the owasp dependency-check plugin. In their updates they usually remove false positives as well.
https://github.com/jeremylong/DependencyCheck/releases
Would be great to try the update without suppressions and see which ones remain.
—
After updating the plugin from version 5.3.1 to version 6.3.1 some suppressions turned out to be outdated, while new ones surfaced which the previous version did not detect.
Details for additions in suppression files notes.
Dismissed suppressions
| Removed | Added |
|---|---|
| okhttp-3.6.0.jar | vorbis-java-tika-0.8.jar (False positive: CVE-2017-6888) |
| daisydiff-1.2-magnolia.jar | vaadin-compatibility-ckeditor-1.3.9.jar (False positives: CVE-2021-37695, CVE-2014-5191) |
| tagsoup-1.2.1.jar | ckeditor-0.1.2.jar (False positives: CVE-2021-37695, CVE-2014-5191) |
| flatbuffers-java-1.10.0.jar | |
| xstream-1.4.15.jar | |
| xz-1.8.jar | |
| commons-io-2.6.jar | |
| mxparser-1.2.1.jar |
Mismatch suppressions
| Removed | Added |
|---|---|
| sentiment-analysis-parser-0.1.jar | xz-1.9.jar (CVE-2015-4035) |
| org.codehaus.groovy:groovy-*.jar | |
| cdi-api-2.0.SP1.jar | |
| neko-htmlunit-2.27.jar | |
| jackson-mapper-asl-1.9.13-atlassian-4.jar | |
| failureaccess-1.0.1.jar | |
| guava-1.0.0-beta7.jar | |
| preflight-2.0.19.jar | |
| xmpbox-2.0.19.jar | |
| kie-dmn-*-7.33.0.Final.jar | |
| drools-canonical-model-7.33.0.Final.jar | |
| pmml-*-1.4.11.jar | |
| kie-soup-project-datamodel-commons-7.33.0.Final.jar | |
| magnolia-cache-core-5.9.4.jar | |
| magnolia-advanced-cache-*-2.3.4.jar |
Acceptance criteria
