Suppress spurious/not applicable jfreechart CVEs

Unidata · Jun 27, 2024 · a243b61 · a243b61
1 parent 3a8008e
commit a243b61
Showing 1 changed file with 48 additions and 0 deletions.
diff --git a/project-files/owasp-dependency-check/dependency-check-suppression.xml b/project-files/owasp-dependency-check/dependency-check-suppression.xml
@@ -146,4 +146,52 @@
     <packageUrl regex="true">^pkg:maven/org\.quartz\-scheduler/quartz@.*$</packageUrl>
     <cve>CVE-2023-39017</cve>
   </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: thredds-5.5-SNAPSHOT.war: jfreechart-1.0.19.jar
+   reason: Disputed CVE and we do not use the vulnerable component (BubbleXYItemLabelGenerator.java)
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.jfree/jfreechart@.*$</packageUrl>
+    <vulnerabilityName>CVE-2024-23076</vulnerabilityName>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: file name: tds-ui-5.5-SNAPSHOT.tar: jfreechart-1.0.19.jar
+   reason: Disputed CVE and we do not use the vulnerable component (BubbleXYItemLabelGenerator.java)
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.jfree/jfreechart@.*$</packageUrl>
+    <vulnerabilityName>CVE-2024-23076</vulnerabilityName>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: thredds-5.5-SNAPSHOT.war: jfreechart-1.0.19.jar
+   reason: Disputed CVE and we do not use the vulnerable component (/chart/annotations/CategoryLineAnnotation)
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.jfree/jfreechart@.*$</packageUrl>
+    <vulnerabilityName>CVE-2024-22949</vulnerabilityName>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: file name: tds-ui-5.5-SNAPSHOT.tar: jfreechart-1.0.19.jar
+   reason: Disputed CVE and we do not use the vulnerable component (/chart/annotations/CategoryLineAnnotation)
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.jfree/jfreechart@.*$</packageUrl>
+    <vulnerabilityName>CVE-2024-22949</vulnerabilityName>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: thredds-5.5-SNAPSHOT.war: jfreechart-1.0.19.jar
+   reason: Disputed CVE and we do not use the vulnerable function (setSeriesNeedle)
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.jfree/jfreechart@.*$</packageUrl>
+    <vulnerabilityName>CVE-2023-52070</vulnerabilityName>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: file name: tds-ui-5.5-SNAPSHOT.tar: jfreechart-1.0.19.jar
+   reason: Disputed CVE and we do not use the vulnerable function (setSeriesNeedle)
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.jfree/jfreechart@.*$</packageUrl>
+    <vulnerabilityName>CVE-2023-52070</vulnerabilityName>
+  </suppress>
 </suppressions>