From 5c791943ae09b94b67ea4dee4807f310ef1b3042 Mon Sep 17 00:00:00 2001 From: Oliver Bertuch Date: Thu, 9 Feb 2023 17:28:05 +0100 Subject: [PATCH] chore(sec): add false positive suppression for stax2-api The origin of CVE-2022-40152 is chaotic at best. It first popped up in https://github.com/x-stream/xstream/issues/304. There was a problem with Woodstox, which was resolved for version 6.4.0 in https://github.com/FasterXML/woodstox/issues/160. Now the CVE is reported on the *API* package, not the implementation. We're safe here and can suppress the CPE as false positive. --- .github/workflows/maven-security.yml | 2 +- owaspSuppression.xml | 11 +++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/.github/workflows/maven-security.yml b/.github/workflows/maven-security.yml index 9bb5e6ab..832dc2e0 100644 --- a/.github/workflows/maven-security.yml +++ b/.github/workflows/maven-security.yml @@ -26,7 +26,7 @@ jobs: key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} restore-keys: ${{ runner.os }}-m2 - name: Scan with OWASP - run: mvn -B -Powasp compile dependency-check:check -pl '!report' + run: mvn -B -Powasp compile dependency-check:check -pl '!report,!xoai-data-provider-tck' - name: Upload scan results as SARIF report to GitHub Security Tab uses: github/codeql-action/upload-sarif@v2 if: always() # do not skip this step if OWASP fails the mvn build diff --git a/owaspSuppression.xml b/owaspSuppression.xml index fbf9371b..c968ce79 100644 --- a/owaspSuppression.xml +++ b/owaspSuppression.xml @@ -1,3 +1,14 @@ + + + + + + pkg:maven/org.codehaus.woodstox/stax2-api@4.2.1 + CVE-2022-40152 + +