Added suppression of CVE-2019-17571; deleted suppression of CVE-2016-1000031.

Author: kwwall

suppressions.xml

@@ -1,10 +1,22 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
+<!-- OWASP Dependency Check suppression file for ESAPI. -->
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd">
     <suppress>
         <notes><![CDATA[
-        This suppresses a specific cve for any test.jar in any directory.
+            This suppresses CVE-2019-17571 for the log4j-1.2.17.jar dependency. ESAPI does
+            not use it in a manner that makes it exploitable and ESAPI is unable to
+            eliminate the dependency completely because our our deprecation policy. That specific
+            CVE is the Java deserialization CVE reported in Log4J 1's SocketServer class which ESAPI
+            doesn't use.
+
+            For further details, please see:
+                https://nvd.nist.gov/vuln/detail/CVE-2019-17571,
+                ESAPI GitHub Issue #538 (https://github.com/ESAPI/esapi-java-legacy/issues/538),
+                and the ESAPI security bulletin, "documentation/ESAPI-security-bulletin2.pdf", which
+                provides a detailed analysis of this issue in ESAPI.
         ]]></notes>
-        <filePath regex="true">.*\bcommons-fileupload-1.3.2.jar</filePath>
-        <cve>CVE-2016-1000031</cve>
+        <gav regex="true">^log4j:log4j:1\.2\.17$</gav>
+        <cpe>cpe:/a:apache:log4j</cpe>
+        <cve>CVE-2019-17571</cve>
     </suppress>
-</suppressions>
+</suppressions>