owasp-suppressions.xml

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
  <suppress>
    <notes><![CDATA[
   Any hypertrace dep
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.hypertrace\..*@.*$</packageUrl>
    <cpe>cpe:/a:grpc:grpc</cpe>
    <cpe>cpe:/a:utils_project:utils</cpe>
  </suppress>
  <suppress>
    <notes><![CDATA[
    We need to get pinot to upgrade this dep, it's 16 years old. Upgrades fix this issue but have changed package/group names
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/commons\-httpclient/commons\-httpclient@.*$</packageUrl>
    <cve>CVE-2012-5783</cve>
    <cve>CVE-2020-13956</cve>
  </suppress>

  <suppress >
    <notes><![CDATA[
   Below CVEs impact zookeeper itself, rather than the zookeeper api
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.apache\.helix/zookeeper\-api@.*$</packageUrl>
    <cve>CVE-2016-5017</cve>
    <cve>CVE-2018-8012</cve>
    <cve>CVE-2019-0201</cve>
    <cve>CVE-2023-44981</cve>
  </suppress>
  <suppress>
    <notes><![CDATA[
   CVE-2024-29133, CVE-2024-29131 only impacts commons-configuration 2+, which is already fixed. Commons configuration 1 is a different artifact and unimpacted.
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/commons\-configuration/commons\-configuration@1\..*$
    </packageUrl>
    <vulnerabilityName>CVE-2024-29133</vulnerabilityName>
    <vulnerabilityName>CVE-2024-29131</vulnerabilityName>
  </suppress>
  <suppress>
    <notes><![CDATA[
   CVE-2024-39676 needs pinot client upgrade from 0.12.1 version.
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.apache\.pinot/pinot\-.*@.*$</packageUrl>
    <cve>CVE-2024-39676</cve>
  </suppress>
</suppressions>