dependency-check-suppressions.xml

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
    <!--
        Tempus Dominus is a date/time picker plugin, NOT Bootstrap itself.
        The OWASP Dependency Check incorrectly identifies this file as Bootstrap 4.min
        due to the filename containing "bootstrap-4".

        The listed CVEs (CVE-2016-10735, CVE-2018-14040, CVE-2018-14041, CVE-2018-14042, CVE-2019-8331)
        are Bootstrap vulnerabilities that were fixed in Bootstrap 4.3.1.
        These CVEs do NOT apply to Tempus Dominus - it's a false positive.

        Our project uses Bootstrap 4.6.2 (includes all security fixes from 4.3.1+).
        This suppression ONLY applies to the tempusdominus file, not to any actual Bootstrap files.
    -->
    <suppress>
        <notes><![CDATA[
        file name: tempusdominus-bootstrap-4.min.js
        This is the Tempus Dominus datetime picker plugin, not Bootstrap itself.
        False positive identification by dependency-check.

        The OWASP Dependency Check incorrectly identifies this file as Bootstrap 4.min
        due to the filename containing "bootstrap-4". These CVEs are related to Bootstrap,
        not to Tempus Dominus.

        We have updated the actual Bootstrap files (bootstrap4.6.2.min.js) which fixes
        these vulnerabilities. This suppression ONLY applies to the tempusdominus file
        based on the exact filename match.
        ]]></notes>
        <filePath regex="true">.*[/\\]tempusdominus-bootstrap-4\.min\.js$</filePath>
        <cve>CVE-2016-10735</cve>
        <cve>CVE-2018-14040</cve>
        <cve>CVE-2018-14041</cve>
        <cve>CVE-2018-14042</cve>
        <cve>CVE-2019-8331</cve>
    </suppress>
</suppressions>