suppressions.xml

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
    <suppress>
        <notes><![CDATA[
           file name: snakeyaml-2.0.jar
           Severity: HIGH
           These vulnerabilities are not relevant to this project's usage of snakeyaml.
           ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
        <cve>CVE-2023-2251</cve>
        <cve>CVE-2021-4235</cve>
        <cve>CVE-2022-3064</cve>
    </suppress>
    <suppress>
        <notes><![CDATA[
           file name: LatencyUtils-2.0.3.jar

           Not relevant. LatencyUtils is invoked through micrometer instrumentation, which is not
           enabled when this project is run.
           ]]>
        </notes>
        <cve>CVE-2021-4277</cve>
    </suppress>
    <suppress>
        <notes><![CDATA[
           file name: commons-compress-1.22.jar

           The CVE is specific to the .NET version of the library. This is the Java version.
           This is a false positive.
           ]]>
        </notes>
        <cve>CVE-2021-37533</cve>
    </suppress>
    <suppress>
        <notes><![CDATA[
           file name: jackson-core-2.14.2.jar
           ]]></notes>
        <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-core@.*$</packageUrl>
        <cpe>cpe:/a:fasterxml:jackson-modules-java8</cpe>
        <cpe>cpe:/a:json-java_project:json-java</cpe>
    </suppress>
    <suppress until="2024-12-13Z">
        <notes><![CDATA[
            file name: rewrite-core-8.6.0-SNAPSHOT.jar (shaded: org.eclipse.jgit:org.eclipse.jgit:5.13.2.202306221912-r)

            Not relevant. And we pin to this version to support Java8.
            ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.eclipse\.jgit/org\.eclipse\.jgit@.*$</packageUrl>
        <vulnerabilityName>CVE-2023-4759</vulnerabilityName>
    </suppress>
</suppressions>