From c9fe35854fd19b9b2d7e1ac550e64c482c33358c Mon Sep 17 00:00:00 2001 From: Hans Aikema Date: Thu, 2 Jun 2022 21:20:40 +0200 Subject: [PATCH 01/14] Merge two spring-security-rsa suppressions into one and add suppression for new spring-=security CPE; fixes #4562 --- .../dependencycheck-base-suppression.xml | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/core/src/main/resources/dependencycheck-base-suppression.xml b/core/src/main/resources/dependencycheck-base-suppression.xml index d8e9633b4d3..5f82bf11080 100644 --- a/core/src/main/resources/dependencycheck-base-suppression.xml +++ b/core/src/main/resources/dependencycheck-base-suppression.xml @@ -915,11 +915,14 @@ - ^pkg:maven/org\.springframework\.security/spring\-security\-rsa@.*$ + Suppresses false positives per issue #1665, #3219, #4562. + ]]> + ^pkg:maven/org\.springframework\.security/spring-security-rsa.*$ cpe:/a:pivotal:spring_security_oauth cpe:/a:pivotal_software:spring_security + cpe:/a:vmware:spring_security + cpe:/a:vmware:springsource_spring_security + cpe:/a:security-framework_project:security-framework cpe:/a:vmware:springsource_spring_security cpe:/a:security-framework_project:security-framework - - - ^pkg:maven/org\.springframework\.security/spring-security-rsa.*$ - cpe:/a:pivotal_software:spring_security - cpe:/a:vmware:springsource_spring_security - cpe:/a:security-framework_project:security-framework - Date: Thu, 2 Jun 2022 21:36:10 +0200 Subject: [PATCH 02/14] Extend CPE list for spring-boot-starter-security; fixes #4563 --- core/src/main/resources/dependencycheck-base-suppression.xml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/core/src/main/resources/dependencycheck-base-suppression.xml b/core/src/main/resources/dependencycheck-base-suppression.xml index 5f82bf11080..2a616c09e6c 100644 --- a/core/src/main/resources/dependencycheck-base-suppression.xml +++ b/core/src/main/resources/dependencycheck-base-suppression.xml @@ -2918,10 +2918,12 @@ ^org\.springframework\.boot:spring-boot-starter-security:.*$ cpe:/a:pivotal_software:spring_security + cpe:/a:vmware:spring_security + cpe:/a:vmware:springsource_spring_security Date: Thu, 2 Jun 2022 23:11:51 +0200 Subject: [PATCH 03/14] Fix false CPE match for jakartaee-migration utility; fixes #4560 --- .../main/resources/dependencycheck-base-suppression.xml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/core/src/main/resources/dependencycheck-base-suppression.xml b/core/src/main/resources/dependencycheck-base-suppression.xml index 2a616c09e6c..b03496d649d 100644 --- a/core/src/main/resources/dependencycheck-base-suppression.xml +++ b/core/src/main/resources/dependencycheck-base-suppression.xml @@ -5321,4 +5321,11 @@ ^pkg:maven/io\.swagger/.*$ cpe:/a:http-swagger_project:http-swagger + + + ^pkg:maven/org\.apache\.tomcat/jakartaee-migration@.*$ + cpe:/a:apache:tomcat + From 349809e5402d4fdd8979f061961135d9b6db5335 Mon Sep 17 00:00:00 2001 From: Hans Aikema Date: Mon, 6 Jun 2022 10:22:00 +0200 Subject: [PATCH 04/14] Suppress additional false CPEs identified in gradle plugin; fixes #4561 --- core/src/main/resources/dependencycheck-base-suppression.xml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/core/src/main/resources/dependencycheck-base-suppression.xml b/core/src/main/resources/dependencycheck-base-suppression.xml index b03496d649d..a27bc82c2b3 100644 --- a/core/src/main/resources/dependencycheck-base-suppression.xml +++ b/core/src/main/resources/dependencycheck-base-suppression.xml @@ -599,11 +599,14 @@ ^pkg:maven/org\.springframework\.boot/spring\-boot\-starter\-oauth2\-client@.*$ cpe:/a:pivotal:spring_security_oauth cpe:/a:pivotal:spring_security + cpe:/a:pivotal_software:spring_security_oauth + cpe:/a:pivotal_software:spring_security + cpe:/a:vmware:spring_security Date: Mon, 6 Jun 2022 14:36:56 +0200 Subject: [PATCH 05/14] Suppress FP CPE-match for NPM archiver package; fixes #4554 --- .../main/resources/dependencycheck-base-suppression.xml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/core/src/main/resources/dependencycheck-base-suppression.xml b/core/src/main/resources/dependencycheck-base-suppression.xml index a27bc82c2b3..05cc9e73d3b 100644 --- a/core/src/main/resources/dependencycheck-base-suppression.xml +++ b/core/src/main/resources/dependencycheck-base-suppression.xml @@ -5331,4 +5331,11 @@ ^pkg:maven/org\.apache\.tomcat/jakartaee-migration@.*$ cpe:/a:apache:tomcat + + + ^pkg:npm/archiver@.*$ + cpe:/a:archiver_project:archiver + From a4e91d34a63c57cc65d65aa8349606b92d9bc907 Mon Sep 17 00:00:00 2001 From: Hans Aikema Date: Mon, 6 Jun 2022 14:55:41 +0200 Subject: [PATCH 06/14] Extend suppression rule for false CPE google:gson to also cover google-api-client-gson; fixes 4551 --- core/src/main/resources/dependencycheck-base-suppression.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/core/src/main/resources/dependencycheck-base-suppression.xml b/core/src/main/resources/dependencycheck-base-suppression.xml index 05cc9e73d3b..eded9c785f0 100644 --- a/core/src/main/resources/dependencycheck-base-suppression.xml +++ b/core/src/main/resources/dependencycheck-base-suppression.xml @@ -5246,9 +5246,9 @@ - ^pkg:maven/com\.google\.http-client/google-http-client-gson@.*$ + ^pkg:maven/com\.google\.(?!code\.gson).*/.*gson.*$ cpe:/a:google:gson From 4ec4f55228a1df2031aebf3585b63f9ecd989c37 Mon Sep 17 00:00:00 2001 From: Hans Aikema Date: Mon, 6 Jun 2022 21:08:05 +0200 Subject: [PATCH 07/14] Suppress false CPE-match; fixes #4540 --- .../main/resources/dependencycheck-base-suppression.xml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/core/src/main/resources/dependencycheck-base-suppression.xml b/core/src/main/resources/dependencycheck-base-suppression.xml index eded9c785f0..ed3390c570c 100644 --- a/core/src/main/resources/dependencycheck-base-suppression.xml +++ b/core/src/main/resources/dependencycheck-base-suppression.xml @@ -5338,4 +5338,11 @@ ^pkg:npm/archiver@.*$ cpe:/a:archiver_project:archiver + + + ^pkg:maven/tyrex/tyrex@.*$ + cpe:/a:sun:j2ee + From af654f2e8965c176fa1abf6bcb3edf4c53cef57c Mon Sep 17 00:00:00 2001 From: Hans Aikema Date: Mon, 6 Jun 2022 21:24:13 +0200 Subject: [PATCH 08/14] Suppress FP CPE match for brave-propagation-aws; fixes #4524 --- .../main/resources/dependencycheck-base-suppression.xml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/core/src/main/resources/dependencycheck-base-suppression.xml b/core/src/main/resources/dependencycheck-base-suppression.xml index ed3390c570c..1a043ebb3a8 100644 --- a/core/src/main/resources/dependencycheck-base-suppression.xml +++ b/core/src/main/resources/dependencycheck-base-suppression.xml @@ -5345,4 +5345,11 @@ ^pkg:maven/tyrex/tyrex@.*$ cpe:/a:sun:j2ee + + + ^pkg:maven/io\.zipkin\.aws/brave-propagation-aws@.*$ + cpe:/a:brave:brave + From 2167e2da357406f2b843757541f86237674e3192 Mon Sep 17 00:00:00 2001 From: Hans Aikema Date: Wed, 8 Jun 2022 13:04:14 +0200 Subject: [PATCH 09/14] Suppress false CPE matches for spring-security-saml extension project Fixes #4576 --- .../main/resources/dependencycheck-base-suppression.xml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/core/src/main/resources/dependencycheck-base-suppression.xml b/core/src/main/resources/dependencycheck-base-suppression.xml index 1a043ebb3a8..6dfeb8c6c62 100644 --- a/core/src/main/resources/dependencycheck-base-suppression.xml +++ b/core/src/main/resources/dependencycheck-base-suppression.xml @@ -5352,4 +5352,12 @@ ^pkg:maven/io\.zipkin\.aws/brave-propagation-aws@.*$ cpe:/a:brave:brave + + + ^pkg:maven/org\.springframework\.security\.extensions/spring-security-saml2-core@.*$ + cpe:/a:saml_project:saml + cpe:/a:vmware:spring_security + From 629bf74138d9323e66633d6b4f6955a91275749c Mon Sep 17 00:00:00 2001 From: Hans Aikema Date: Wed, 8 Jun 2022 13:20:16 +0200 Subject: [PATCH 10/14] Extend suppressed CPEs for spring-security-oauth2 library Fixes #4577 --- core/src/main/resources/dependencycheck-base-suppression.xml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/core/src/main/resources/dependencycheck-base-suppression.xml b/core/src/main/resources/dependencycheck-base-suppression.xml index 6dfeb8c6c62..4f6ac327b90 100644 --- a/core/src/main/resources/dependencycheck-base-suppression.xml +++ b/core/src/main/resources/dependencycheck-base-suppression.xml @@ -975,10 +975,11 @@ - ^org\.springframework\.security\.oauth:spring-security-oauth2:.*$ + ^pkg:maven/org\.springframework\.security\.oauth/spring-security-oauth2@.*$ cpe:/a:pivotal_software:spring_security + cpe:/a:vmware:spring_security Date: Wed, 8 Jun 2022 14:01:59 +0200 Subject: [PATCH 11/14] Suppress false CPE match for quarkus-micrometer-registry-prometheus Fixes #4205 --- .../main/resources/dependencycheck-base-suppression.xml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/core/src/main/resources/dependencycheck-base-suppression.xml b/core/src/main/resources/dependencycheck-base-suppression.xml index 4f6ac327b90..6c3a57a8b87 100644 --- a/core/src/main/resources/dependencycheck-base-suppression.xml +++ b/core/src/main/resources/dependencycheck-base-suppression.xml @@ -5361,4 +5361,11 @@ cpe:/a:saml_project:saml cpe:/a:vmware:spring_security + + + ^pkg:maven/io\.quarkus/quarkus-micrometer-registry-prometheus@.*$ + cpe:/a:prometheus:prometheus + From 3d985ef17d2c8116454588cc1560a2c69301c7d7 Mon Sep 17 00:00:00 2001 From: Hans Aikema Date: Wed, 8 Jun 2022 14:25:01 +0200 Subject: [PATCH 12/14] Suppress rabbitMQ CPE by technology mismatch, RabbitMQ is in Erlang Fixes #4178 --- core/src/main/resources/dependencycheck-base-suppression.xml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/core/src/main/resources/dependencycheck-base-suppression.xml b/core/src/main/resources/dependencycheck-base-suppression.xml index 6c3a57a8b87..3013893294a 100644 --- a/core/src/main/resources/dependencycheck-base-suppression.xml +++ b/core/src/main/resources/dependencycheck-base-suppression.xml @@ -683,6 +683,7 @@ 59. docker:docker is a go implementation #4025 60. travis-ci:travis_ci is ci server software build in ruby/shell/go #4025 61. cpe:/a:storage_project:storage is software build in go (the github.com/containers/storage project) #4436 + 62. cpe:/a:pivotal_software:rabbitmq is software build in Erlang #4178 ]]> .*(\.(dll|jar|ear|war|pom|nupkg|nuspec|aar)|pom\.xml|package.json|packages.config)$ cpe:/a:sandbox:sandbox @@ -746,6 +747,7 @@ cpe:/a:docker:docker cpe:/a:travis-ci:travis_ci cpe:/a:storage_project:storage + cpe:/a:pivotal_software:rabbitmq Date: Wed, 8 Jun 2022 17:46:49 +0200 Subject: [PATCH 13/14] Suppress FP CPE match for activemq-artemis-native Fixes #3888 --- .../main/resources/dependencycheck-base-suppression.xml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/core/src/main/resources/dependencycheck-base-suppression.xml b/core/src/main/resources/dependencycheck-base-suppression.xml index 3013893294a..8e53a252b1c 100644 --- a/core/src/main/resources/dependencycheck-base-suppression.xml +++ b/core/src/main/resources/dependencycheck-base-suppression.xml @@ -5370,4 +5370,12 @@ ^pkg:maven/io\.quarkus/quarkus-micrometer-registry-prometheus@.*$ cpe:/a:prometheus:prometheus + + + ^pkg:maven/org\.apache\.activemq/activemq\-artemis\-native@.*$ + cpe:/a:apache:activemq + cpe:/a:apache:activemq_artemis + From 9ea003e6214ea139b95aa2104412ddc22b641fb7 Mon Sep 17 00:00:00 2001 From: Hans Aikema Date: Wed, 8 Jun 2022 18:15:18 +0200 Subject: [PATCH 14/14] Suppress false CPE match for spring-ws library Fixes #3811 --- .../main/resources/dependencycheck-base-suppression.xml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/core/src/main/resources/dependencycheck-base-suppression.xml b/core/src/main/resources/dependencycheck-base-suppression.xml index 8e53a252b1c..274625b1707 100644 --- a/core/src/main/resources/dependencycheck-base-suppression.xml +++ b/core/src/main/resources/dependencycheck-base-suppression.xml @@ -5378,4 +5378,12 @@ cpe:/a:apache:activemq cpe:/a:apache:activemq_artemis + + + ^pkg:maven/org\.springframework\.ws/spring\-ws\-security@.*$ + cpe:/a:vmware:spring_security + cpe:/a:pivotal_software:spring_security +