Add suppressions for Dependency Check for CVEs that were examined and not exploitable.

kwwall · kwwall · commit 8d8bcfdb8c26 · 2022-04-17T00:26:14.000-04:00
diff --git a/suppressions.xml b/suppressions.xml
@@ -38,27 +38,41 @@
         <cve>CVE-2020-9488</cve>
     </suppress>
     <suppress>
-       <notes><![CDATA[file name: log4j-1.2.17.jar]]></notes>
-       <packageUrl regex="true">^pkg:maven/log4j/log4j@.*$</packageUrl>
-       <vulnerabilityName>CVE-2021-4104</vulnerabilityName>
+        <notes><![CDATA[
+            This suppresses CVE-2021-4104 for the log4j-1.2.17.jar dependency. ESAPI's
+            default configuration uses ConsoleAppender rathere than JMSAppender and
+            thus does not use Log4J 1 in a manner that makes it exploitable. ESAPI is unable to
+            eliminate the dependency completely because our our deprecation policy.
+
+            For further details, please see:
+                https://nvd.nist.gov/vuln/detail/CVE-2021-4104 and
+                the ESAPI security advisory #6, "documentation/ESAPI-security-bulletin6.pdf", which
+                provides a detailed analysis of this issue in ESAPI.
+        ]]></notes>
+        <gav regex="true">^log4j:log4j:1\.2\.17$</gav>
+        <cpe>cpe:/a:apache:log4j</cpe>
+        <cve>CVE-2021-4104</cve>
     </suppress>
     <suppress>
-       <notes><![CDATA[
-           file name: neko-htmlunit-2.24.jar
+        <notes><![CDATA[
+            FIXME: Once we switch to Java 8 as the minimal JDK, update commons-io to the latest and delete this.
+
+            This CVE is path traversal issue in FileNameUtils.normalize(). That class is not used directly or indirectly
+            by ESAPI. We are required to use an older version of Commons-IO because of a direct dependency on Antisamy.
 
-           CVE-2020-5529 is for net.sourceforge.htmlunit:htmlunit, not net.sourceforge.htmlunit:neko-htmlunit.
-           As such, this is a false positive.
+            file name: commons-io-2.6.jar
         ]]></notes>
-       <packageUrl regex="true">^pkg:maven/net\.sourceforge\.htmlunit/neko\-htmlunit@.*$</packageUrl>
-       <cve>CVE-2020-5529</cve>
+        <packageUrl regex="true">^pkg:maven/commons\-io/commons\-io@.*$</packageUrl>
+        <cve>CVE-2021-29425</cve>
     </suppress>
     <suppress>
-       <notes><![CDATA[
-           file name: commons-io-2.6.jar
+        <notes><![CDATA[
+            ESAPI does not use this jar directly. It is a transitive dependency of AntiSamy and (as per Dave Wichers on
+            the AntiSamy team), it does not impact AntiSamy, and therefore does not impact ESAPI.
 
-           TODO:FIXME: Not sure if you want this suppressed or not, but suppressing for now so mvn site can finish successfully.
-       ]]></notes>
-       <packageUrl regex="true">^pkg:maven/commons\-io/commons\-io@.*$</packageUrl>
-       <cve>CVE-2021-29425</cve>
+             file name: batik-i18n-1.14.jar
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.xmlgraphics/batik\-i18n@.*$</packageUrl>
+        <cve>CVE-2020-7791</cve>
     </suppress>
 </suppressions>
