Trang chủ Khám phá Trợ giúp
Đăng ký Đăng nhập
Phil
/
Threema-Android-mirror
mirror of https://github.com/threema-ch/threema-android.git
1
0
Fork 0
Các tập tin Các vấn đề 0 Wiki
Tree: 6b19214dcf
Branches Tags
Threema-Android...
/
dependencyCheckSuppressions.xml

dependencyCheckSuppressions.xml 4.7 KB
Lịch sử Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122 
  1. <?xml version="1.0" encoding="UTF-8"?>
    2. 

  2. <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
    3. 

  3.     <!-- You can add <suppress>...</suppress> entries in here. -->
    4. 

  4. 

  5.     <!-- Ignore CVE-2020-8908: Used by exoplayer, but vulnerable code (createTempDir)
    6. 

  6.     is not used. -->
    7. 

  7.     <suppress>
    8. 

  8.         <notes><![CDATA[
    9. 

  9.         file name: guava-27.1-android.jar
    10. 

  10.         ]]></notes>
    11. 

  11.         <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
    12. 

  12.         <cve>CVE-2020-8908</cve>
    13. 

  13.     </suppress>
    14. 

  14. 

  15.     <!-- Ignore CVE-2021-29425: Vulnerable code (FileNameUtils.normalize) not used. -->
    16. 

  16.     <suppress>
    17. 

  17.         <notes><![CDATA[
    18. 

  18.         file name: commons-io-2.6.jar
    19. 

  19.         ]]></notes>
    20. 

  20.         <packageUrl regex="true">^pkg:maven/commons\-io/commons\-io@.*$</packageUrl>
    21. 

  21.         <cve>CVE-2021-29425</cve>
    22. 

  22.     </suppress>
    23. 

  23. 

  24.     <!-- Ignore CVE-2018-20200: It requires hooking into the running application, CVE is disputed.
    25. 

  25.     https://github.com/square/okhttp/issues/4967 -->
    26. 

  26.     <suppress>
    27. 

  27.         <notes><![CDATA[
    28. 

  28.         file name: okhttp-3.12.0.jar
    29. 

  29.         ]]></notes>
    30. 

  30.         <packageUrl regex="true">^pkg:maven/com\.squareup\.okhttp3/okhttp@.*$</packageUrl>
    31. 

  31.         <cve>CVE-2018-20200</cve>
    32. 

  32.     </suppress>
    33. 

  33. 

  34.     <!-- Ignore CVEs against netty <4.1.44, even though at the time of this writing, only 4.1.72+
    35. 

  35.     is being used. -->
    36. 

  36.     <suppress>
    37. 

  37.         <notes><![CDATA[
    38. 

  38.         file name: core-0.0.8-alpha08.jar
    39. 

  39.         ]]></notes>
    40. 

  40.         <packageUrl regex="true">^pkg:maven/com\.google\.testing\.platform/core@.*$</packageUrl>
    41. 

  41.         <cve>CVE-2019-20444</cve>
    42. 

  42.     </suppress>
    43. 

  43. 

  44.     <!-- Ignore CVE-2023-2976 against guava. Seems to affect only Android ICS as well as
    45. 

  45.     potentially developers' machines (which isn't really a realistic threat scenario here). -->
    46. 

  46.     <suppress>
    47. 

  47.         <notes><![CDATA[
    48. 

  48.         file name: guava-31.1-jre.jar
    49. 

  49.         ]]></notes>
    50. 

  50.         <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
    51. 

  51.         <cve>CVE-2023-2976</cve>
    52. 

  52.     </suppress>
    53. 

  53. 

  54.     <!-- Ignore CVE-2023-32697. The issue here is that RCE is possible through an SQLite JDBC URL.
    55. 

  55.     Since databases are hardcoded in the Android app, and JDBC URLs (or parts used in the URL)
    56. 

  56.     are not user-supplied, this shouldn't affect us. -->
    57. 

  57.     <suppress>
    58. 

  58.         <notes><![CDATA[
    59. 

  59.         file name: sqlite-jdbc-3.36.0.jar
    60. 

  60.         ]]></notes>
    61. 

  61.         <packageUrl regex="true">^pkg:maven/org\.xerial/sqlite\-jdbc@.*$</packageUrl>
    62. 

  62.         <cve>CVE-2023-32697</cve>
    63. 

  63.     </suppress>
    64. 

  64. 

  65.     <!-- Ignore wrong matches. -->
    66. 

  66.     <suppress>
    67. 

  67.         <packageUrl regex="true">^pkg:maven/org\.saltyrtc/saltyrtc\-task\-webrtc@.*$</packageUrl>
    68. 

  68.         <cpe>cpe:/a:webrtc_project:webrtc</cpe>
    69. 

  69.     </suppress>
    70. 

  70.     <suppress>
    71. 

  71.         <packageUrl regex="true">^pkg:maven/org\.saltyrtc/saltyrtc\-task\-webrtc@.*$</packageUrl>
    72. 

  72.         <cpe>cpe:/a:tasks:tasks</cpe>
    73. 

  73.     </suppress>
    74. 

  74.     <suppress>
    75. 

  75.         <packageUrl regex="true">^pkg:maven/com\.huawei\.hmf/tasks@.*$</packageUrl>
    76. 

  76.         <cpe>cpe:/a:tasks:tasks</cpe>
    77. 

  77.     </suppress>
    78. 

  78.     <suppress>
    79. 

  79.         <packageUrl regex="true">^pkg:maven/org\.jetbrains\.kotlin/kotlin\-stdlib@.*$</packageUrl>
    80. 

  80.         <cpe>cpe:/a:jetbrains:kotlin</cpe>
    81. 

  81.     </suppress>
    82. 

  82.     <suppress>
    83. 

  83.         <packageUrl regex="true">^pkg:maven/org\.jetbrains\.kotlin/kotlin\-stdlib\-common@.*$
    84. 

  84.         </packageUrl>
    85. 

  85.         <cpe>cpe:/a:jetbrains:kotlin</cpe>
    86. 

  86.     </suppress>
    87. 

  87.     <suppress>
    88. 

  88.         <packageUrl regex="true">^pkg:maven/com\.google\.devtools\.ksp/symbol\-processing\-api@.*$
    89. 

  89.         </packageUrl>
    90. 

  90.         <cpe>cpe:/a:processing:processing</cpe>
    91. 

  91.     </suppress>
    92. 

  92.     <suppress>
    93. 

  93.         <packageUrl regex="true">^pkg:maven/androidx\.room/room\-compiler\-processing@.*$
    94. 

  94.         </packageUrl>
    95. 

  95.         <cpe>cpe:/a:processing:processing</cpe>
    96. 

  96.     </suppress>
    97. 

  97.     <suppress>
    98. 

  98.         <notes><![CDATA[
    99. 

  99.    file name: core-0.0.8-alpha08.jar
    100. 

  100.    ]]></notes>
    101. 

  101.         <packageUrl regex="true">^pkg:maven/com\.google\.testing\.platform/core@.*$</packageUrl>
    102. 

  102.         <cpe>cpe:/a:netty:netty</cpe>
    103. 

  103.     </suppress>
    104. 

  104. 

  105.     <!-- Ignore CVE-2014-9152. The cve relates to drupal which is irrelevant for an android app -->
    106. 

  106.     <suppress>
    107. 

  107.         <notes><![CDATA[
    108. 

  108.    file name: storage-1.4.2.aar
    109. 

  109.    ]]></notes>
    110. 

  110.         <packageUrl regex="true">^pkg:maven/androidx\.test\.services/storage@.*$</packageUrl>
    111. 

  111.         <cpe>cpe:/a:services_project:services</cpe>
    112. 

  112.     </suppress>
    113. 

  113. 

  114.     <!-- Ignore CVE-2015-3362. The cve relates to drupal which is irrelevant for an android app -->
    115. 

  115.     <suppress>
    116. 

  116.         <notes><![CDATA[
    117. 

  117.    file name: camera-video-1.3.2.aar
    118. 

  118.    ]]></notes>
    119. 

  119.         <packageUrl regex="true">^pkg:maven/androidx\.camera/camera\-video@.*$</packageUrl>
    120. 

  120.         <cpe>cpe:/a:video_project:video</cpe>
    121. 

  121.     </suppress>
    122. 

  122. </suppressions>
    123.