finos · dschwartznyc · Jun 12, 2025 · May 18, 2025 · May 23, 2025 · Jun 12, 2025
diff --git a/allow-list.xml b/allow-list.xml
@@ -1,112 +1,82 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-    <suppress>
-          <notes><![CDATA[
-        Testing false positives by suppressing a CVE
-        ]]></notes>
-    <filePath regex="true">.*\bsample-project-0\.0\.1\.jar/META-INF/maven/commons-fileupload/commons-fileupload/pom\.xml</filePath>
-        <cve>CVE-2023-24998</cve>
-        <cve>CVE-2016-3092</cve>
-        <cve>CVE-2016-1000031</cve>
-        <cve>CVE-2014-0050</cve>
-        <cve>CVE-2013-2186</cve>
-    </suppress>
-
-     <suppress>
-          <notes><![CDATA[
-        Testing false positives by suppressing a CVE
-        ]]></notes>
-    <filePath regex="true">.*\bsample-project-0\.0\.1\.jar/META-INF/maven/commons-io/commons-io/pom\.xml</filePath>
-        <cve>CVE-2021-29425</cve>
-    </suppress>
-
-     <suppress>
-          <notes><![CDATA[
-        Testing false positives by suppressing a CVE
-        ]]></notes>
-    <filePath regex="true">.*\bsample-project-0\.0\.1\.jar/META-INF/maven/org\.apache\.struts\.xwork/xwork-core/pom\.xml</filePath>
-        <cve>CVE-2013-1966</cve>
-        <cve>CVE-2016-4461</cve>
-        <cve>CVE-2013-1965</cve>
-        <cve>CVE-2016-2162</cve>
-        <cve>CVE-2013-2115</cve>
-        <cve>CVE-2014-0112</cve>
-        <cve>CVE-2019-0233</cve>
-        <cve>CVE-2017-9787</cve> 
-    </suppress>
-
-      <suppress>
-          <notes><![CDATA[
-        Testing false positives by suppressing a CVE
-        ]]></notes>
-    <filePath regex="true">.*\bsample-project-0\.0\.1\.jar/META-INF/maven/ognl/ognl/pom\.xml</filePath>
-        <cve>CVE-2016-3093</cve>
-    </suppress>
+<!--
+  ~ Copyright 2024 REGnosys
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
 
-    <suppress>
-          <notes><![CDATA[
-        Testing false positives by suppressing a CVE
-        ]]></notes>
-    <filePath regex="true">.*\bsample-project-0.0.1.jar/META-INF/maven/org.apache.struts/struts2-core/pom.xml</filePath>
-        <cve>CVE-2016-4461</cve>
-        <cve>CVE-2015-5209</cve>
-        <cve>CVE-2016-2162</cve>
-        <cve>CVE-2018-1327</cve>
-        <cve>CVE-2012-0394</cve>
-        <cve>CVE-2015-2992</cve>
-        <cve>CVE-2016-3093</cve>
-        <cve>CVE-2023-34396</cve>
-        <cve>CVE-2016-0785</cve>
-        <cve>CVE-2016-4003</cve>
-        <cve>CVE-2013-2248</cve>
-        <cve>CVE-2017-5638</cve>
-        <cve>CVE-2015-5169</cve>
-        <cve>CVE-2017-9793</cve>
-        <cve>CVE-2016-4430</cve>
-        <cve>CVE-2017-9791</cve>
-        <cve>CVE-2016-3081</cve>
-        <cve>CVE-2016-3082</cve>
-        <cve>CVE-2023-34149</cve>
-        <cve>CVE-2019-0230</cve>
-        <cve>CVE-2013-2134</cve>
-        <cve>CVE-2016-4436</cve>
-        <cve>CVE-2019-0233</cve>
-        <cve>CVE-2021-31805</cve>
-        <cve>CVE-2014-7809</cve>
-        <cve>CVE-2013-2135</cve>
-        <cve>CVE-2014-0116</cve>
-        <cve>CVE-2013-2251</cve>
-        <cve>CVE-2013-4310</cve>
-        <cve>CVE-2013-1966</cve>
-        <cve>CVE-2017-9804</cve>
-        <cve>CVE-2013-1965</cve>
-        <cve>CVE-2017-9805</cve>
-        <cve>CVE-2017-12611</cve>
-        <cve>CVE-2013-2115</cve>
-        <cve>CVE-2014-0113</cve>
-        <cve>CVE-2013-4316</cve>
-        <cve>CVE-2014-0112</cve>
-        <cve>CVE-2018-11776</cve>
-        <cve>CVE-2016-3090</cve>
-        <cve>CVE-2017-9787</cve>
-        <cve>CVE-2014-0094</cve>
-        <cve>CVE-2020-17530</cve>
-    </suppress>
-
- <suppress>
-   <notes><![CDATA[
-   file name: sample-project-0.0.1.jar (shaded: commons-fileupload:commons-fileupload:1.2.2)
-   ]]></notes>
-   <packageUrl regex="true">^pkg:maven/commons\-fileupload/commons\-fileupload@.*$</packageUrl>
-   <cve>CVE-2013-0248</cve>
-</suppress>
-
-<suppress>
-   <notes><![CDATA[
-   file name: sample-project-0.0.1.jar (shaded: org.apache.struts:struts2-core:2.3.8)
-   ]]></notes>
-   <packageUrl regex="true">^pkg:maven/org\.apache\.struts/struts2\-core@.*$</packageUrl>
-   <cve>CVE-2023-50164</cve>
-   <cve>CVE-2023-41835</cve> 
-</suppress>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+   <suppress>
+      <notes><![CDATA[
+      This CVE only affects projects fetching p2 repo's over HTTP, but we use HTTPS.
+      ]]></notes>
+      <cve>CVE-2021-41033</cve>
+   </suppress>
+   <suppress>
+	  <notes><![CDATA[
+	  We are using Reload4j, which is a secure drop-in replacement for log4j.
+	  ]]></notes>
+	  <cve>CVE-2020-9493</cve>
+	</suppress>
+	<suppress>
+	   <notes><![CDATA[
+	   We are using Reload4j, which is a secure drop-in replacement for log4j.
+	   ]]></notes>
+	   <cve>CVE-2022-23307</cve>
+	</suppress>
+	<suppress>
+	   <notes><![CDATA[
+	   This CVE is not about org.junit.platform.commons. It seems the check is
+	   too loose.
+	   ]]></notes>
+	   <cve>CVE-2020-27225</cve>
+	</suppress>
+	<suppress>
+	   <notes><![CDATA[
+	   This CVE only affects projects using Xtext prior to 2.18.0.
+	   ]]></notes>
+	   <cve>CVE-2019-10249</cve>
+	</suppress>
+	<suppress>
+	   <notes><![CDATA[
+	   Calling the method `com.google.common.io.Files.createTempDir` is a vulnerability,
+	   but we do not call it.
+	   ]]></notes>
+	   <cve>CVE-2020-8908</cve>
+	</suppress>
+	<suppress>
+	   <notes><![CDATA[
+	   We are not creating SVG's with Batik of Apache XML Graphics.
+	   ]]></notes>
+	   <cve>CVE-2022-41704</cve>
+	</suppress>
+	<suppress>
+	   <notes><![CDATA[
+	   We are not creating SVG's with Batik of Apache XML Graphics.
+	   ]]></notes>
+	   <cve>CVE-2022-42890</cve>
+	</suppress>
+	<suppress>
+	   	<notes><![CDATA[
+	   This CVE is not about org.eclipse.e4.emf.xpath. It seems the check is
+	   too loose.
+	   ]]></notes>
+	   <cve>CVE-2022-41852</cve>
+	</suppress>
+	<suppress>
+	   <notes><![CDATA[
+	   This only affects milestone and RC versions, but we use a stable release.
+	   ]]></notes>
+	   <cve>CVE-2020-15824</cve>
+	</suppress>
 </suppressions>