Skip to content

Commit cca70e0

Browse files
chadlwilsonchadlwilson
authored
fix(fp): Correct GRPC java suppressions for newer C/C++/native false positives (#8063)
Signed-off-by: Chad Wilson <[email protected]>
1 parent e879878 commit cca70e0

File tree

1 file changed

+16
-9
lines changed

1 file changed

+16
-9
lines changed

core/src/main/resources/dependencycheck-base-suppression.xml

Lines changed: 16 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -296,34 +296,41 @@
296296
</suppress>
297297
<suppress base="true">
298298
<notes><![CDATA[
299-
FP per #3002
299+
FP per #3002 CPE is for GRPC core
300300
]]></notes>
301301
<packageUrl regex="true">^pkg:maven/io\.opencensus/opencensus\-contrib\-grpc\-metrics@.*$</packageUrl>
302302
<cpe>cpe:/a:grpc:grpc</cpe>
303303
</suppress>
304304
<suppress base="true">
305305
<notes><![CDATA[
306-
FP per #3002, CVE is for grpc-js and c
306+
FP per #3002 and #5890 - CVE are for GRPC C/ruby/python etc. Suppressing individual CVEs because ODC cannot understand the target SW
307+
field. NVD search to review in future (not that some are marked incorrectly as affecting all languages)
308+
--> https://nvd.nist.gov/vuln/search#/nvd/home?sortOrder=1&sortDirection=1&cpeFilterMode=applicability&cpeName=cpe:2.3:a:grpc:grpc:*:*:*:*:*:*:*:*&resultType=records
307309
]]></notes>
308310
<packageUrl regex="true">^pkg:maven/io\.grpc/grpc\-.*$</packageUrl>
309-
<cve>CVE-2020-7768</cve>
311+
<cve>CVE-2017-7860</cve>
310312
<cve>CVE-2017-7861</cve>
311313
<cve>CVE-2017-8359</cve>
312314
<cve>CVE-2017-9431</cve>
315+
<cve>CVE-2020-7768</cve>
316+
<cve>CVE-2023-1428</cve>
317+
<cve>CVE-2023-32731</cve>
318+
<cve>CVE-2023-32732</cve>
319+
<cve>CVE-2023-33953</cve>
320+
<cve>CVE-2023-4785</cve>
321+
<cve>CVE-2024-11407</cve>
322+
<cve>CVE-2024-7246</cve>
313323
</suppress>
314324
<suppress base="true">
315325
<notes><![CDATA[
316-
FP per #3002, CVE is for grpc-js and c
326+
FP per #3002, CPE is for GRPC core
317327
]]></notes>
318328
<packageUrl regex="true">^pkg:maven/com\.google\.api\.grpc/grpc\-google\-common\-protos@.*$</packageUrl>
319-
<cve>CVE-2020-7768</cve>
320-
<cve>CVE-2017-7861</cve>
321-
<cve>CVE-2017-8359</cve>
322-
<cve>CVE-2017-9431</cve>
329+
<cpe>cpe:/a:grpc:grpc</cpe>
323330
</suppress>
324331
<suppress base="true">
325332
<notes><![CDATA[
326-
FP per #3002, CVE is for grpc-js
333+
FP per #3002, CPE is for GRPC core
327334
]]></notes>
328335
<packageUrl regex="true">^pkg:maven/com\.lightstep\.tracer/.*$</packageUrl>
329336
<cpe>cpe:/a:grpc:grpc</cpe>

0 commit comments

Comments
 (0)