dependency-check-maven-config.xml

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression">

    <suppress>
      <notes><![CDATA[
        These are false positives that identify catalog-core-urlresourcereader and
        spatial-ogc-urlresourcereader as a "Yourfreeworld.com short URL & URL tracker script" library
      ]]></notes>
      <gav regex="true">^((ddf\.catalog\.core:catalog-core-)|(org.codice.ddf.spatial:spatial-ogc-))urlresourcereader:.*$</gav>
      <cve>CVE-2006-6460</cve>
    </suppress>

    <suppress>
        <notes><![CDATA[
        This dependency is mistakenly identified as an Email-Address module for Perl, but it's not.
        It's a pure Java email address validator/parser that only depends on javax.mail
      ]]></notes>
        <gav regex="true">^com\.github\.bbottema:emailaddress-rfc2822:.*$</gav>
        <cve>CVE-2015-7686</cve>
    </suppress>

    <suppress>
      <notes><![CDATA[
        This CVE was already suppressed in DDF (https://github.com/codice/ddf/pull/2062), but it
        shows up again because of embed-dependency making the gav regex no longer match

        The same suppression still applies
      ]]></notes>
      <gav regex="true">^ddf\.platform:platform-http-proxy:.*$</gav>
      <cve>CVE-2017-3159</cve>
    </suppress>

    <suppress>
      <notes><![CDATA[
        These CVEs were suppressed in DDF (https://github.com/codice/ddf/pull/2728), but they showed
        up again because of embed-dependency making the gav regex no longer match

        The same suppression still applies
      ]]></notes>
      <gav regex="true">^ddf\.platform:platform-http-proxy:.*$</gav>
      <cve>CVE-2017-12633</cve>
      <cve>CVE-2017-12634</cve>
    </suppress>

    <suppress>
        <notes><![CDATA[
            CVE-2011-2730 is related to a vulnerability in the VMware SpringSource Spring Framework,
            where OWASP flags jars that are unrelated or have no dependency on Spring, so marking it
            as a false positive.
        ]]></notes>
        <cve>CVE-2011-2730</cve>
    </suppress>

    <suppress>
        <notes>
            These CVEs stem from kernel-2.12.0-SNAPSHOT.zip: pax-web-jsp-6.0.6.jar and its use in
            Apache Tomcat. Because the system is not utilizing this library in a way that exposes
            the vulnerabilities, these CVEs do not pose a risk.
        </notes>
        <cve>CVE-2009-3548</cve>
        <cve>CVE-2011-3190</cve>
        <cve>CVE-2013-2185</cve>
        <cve>CVE-2014-0230</cve>
        <cve>CVE-2016-5425</cve>
        <cve>CVE-2016-6325</cve>
        <cve>CVE-2016-8735</cve>
    </suppress>

    <suppress>
        <notes>
            These CVEs are not an issue since the software is not exposing STOMP over WebSocket
            endpoints.
        </notes>
        <cve>CVE-2018-1270</cve>
        <cve>CVE-2018-1275</cve>
    </suppress>

    <suppress>
        <notes>
            These CVEs affect Jetty 9.3.x up to 9.3.23 and 9.4.x up to 9.4.10. CAL is using a
            version of jetty that does not fall within those ranges.
        </notes>
        <cve>CVE-2017-7658</cve>
        <cve>CVE-2017-7657</cve>
    </suppress>

</suppressions>