Suppress glassfish false positive

helidon-io · Oct 8, 2024 · 828fbef · 828fbef
1 parent ccb68a8
commit 828fbef
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/etc/dependency-check-suppression.xml b/etc/dependency-check-suppression.xml
@@ -2,6 +2,21 @@
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
 <!-- For information see https://jeremylong.github.io/DependencyCheck/general/suppression.html -->
 
+<!-- False Positive
+     This CVE is against the GlassFish application server, but is mistakenly being
+     identified in various org.glassfish artifacts
+https://github.com/jeremylong/DependencyCheck/issues/7021
+https://github.com/jeremylong/DependencyCheck/issues/7020
+https://github.com/jeremylong/DependencyCheck/issues/7019
+-->
+<suppress>
+   <notes><![CDATA[
+   file name: jakarta.el-4.0.2.jar
+   ]]></notes>
+   <packageUrl regex="true">^pkg:maven/org\.glassfish.*/(jakarta\.el|jakarta\.json|jaxb-core|jaxb-runtime|osgi-resource-locator|txw2)@.*$</packageUrl>
+   <cve>CVE-2024-9329</cve>
+</suppress>
+
 <!--
     This CVE is against DOMPurify brought in by javascript in the smallrye UI component.
     In 4.x we made this component "provided". We can't do that in 2.x and 3.x due to compatiblity concerns.