Suppress false positives in dependency track report

goneall · goneall · commit cd8332cab3ac · 2025-10-15T10:45:09.000-07:00
diff --git a/dependency-check-supress.xml b/dependency-check-supress.xml
@@ -1,4 +1,19 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-
+    <suppress>
+        <notes><![CDATA[
+   file name: icu4j-75.1.jar
+   This is a known false positive related to the CVE data
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.ibm\.icu/icu4j@.*$</packageUrl>
+        <cve>CVE-2025-5222</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+   file name: spdx-java-model-2_X-1.0.1.jar
+   Reference https://github.com/dependency-check/DependencyCheck/issues/8051
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.spdx/spdx-java-model-2_X@.*$</packageUrl>
+        <cpe>cpe:/a:x.org:x.org</cpe>
+    </suppress>
 </suppressions>
