Update dep check suppression for jackson and graalvm

barchetta · Nov 8, 2024 · f2ece8e · f2ece8e
1 parent 64b5619
commit f2ece8e
Showing 1 changed file with 11 additions and 13 deletions.
diff --git a/etc/dependency-check-suppression.xml b/etc/dependency-check-suppression.xml
@@ -166,23 +166,21 @@ https://github.com/jeremylong/DependencyCheck/issues/7019
    <packageUrl regex="true">^pkg:maven/org\.graalvm\.sdk/graal-sdk@.*$</packageUrl>
    <vulnerabilityName>CVE-2024-21211</vulnerabilityName>
 </suppress>
-
-
-<!-- 
-    This CVE is being disputed by the Jackson project and the community seems in agreement that this
-    CVE should be rejected. We are suppressing this for now to reduce noise in our scan and will
-    continue to monitor progress.
-    https://nvd.nist.gov/vuln/detail/CVE-2023-35116
-    https://github.com/FasterXML/jackson-databind/issues/3972
-
--->
 <suppress>
    <notes><![CDATA[
-   file name: jackson-databind-2.15.2.jar
+   file name: graal-sdk-22.3.0.jar
    ]]></notes>
-   <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
-   <cve>CVE-2023-35116</cve>
+   <packageUrl regex="true">^pkg:maven/org\.graalvm\.sdk/graal-sdk@.*$</packageUrl>
+   <vulnerabilityName>CVE-2023-22045</vulnerabilityName>
 </suppress>
+<suppress>
+   <notes><![CDATA[
+   file name: graal-sdk-22.3.0.jar
+   ]]></notes>
+   <packageUrl regex="true">^pkg:maven/org\.graalvm\.sdk/graal-sdk@.*$</packageUrl>
+   <vulnerabilityName>CVE-2024-21094</vulnerabilityName>
+</suppress>
+
 
 <!--
     This CVE is is concerning proper use of Netty's hostname verification. Helidon enables hostname