From a243b613fbfc7083bb9cce71115ee59ca67a6471 Mon Sep 17 00:00:00 2001
From: Tara Drwenski <tdrwenski@ucar.edu>
Date: Thu, 27 Jun 2024 10:27:31 -0600
Subject: [PATCH] Suppress spurious/not applicable jfreechart CVEs

---
 .../dependency-check-suppression.xml          | 48 +++++++++++++++++++
 1 file changed, 48 insertions(+)

diff --git a/project-files/owasp-dependency-check/dependency-check-suppression.xml b/project-files/owasp-dependency-check/dependency-check-suppression.xml
index 08eba890ff..a348059f9b 100644
--- a/project-files/owasp-dependency-check/dependency-check-suppression.xml
+++ b/project-files/owasp-dependency-check/dependency-check-suppression.xml
@@ -146,4 +146,52 @@
     <packageUrl regex="true">^pkg:maven/org\.quartz\-scheduler/quartz@.*$</packageUrl>
     <cve>CVE-2023-39017</cve>
   </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: thredds-5.5-SNAPSHOT.war: jfreechart-1.0.19.jar
+   reason: Disputed CVE and we do not use the vulnerable component (BubbleXYItemLabelGenerator.java)
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.jfree/jfreechart@.*$</packageUrl>
+    <vulnerabilityName>CVE-2024-23076</vulnerabilityName>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: file name: tds-ui-5.5-SNAPSHOT.tar: jfreechart-1.0.19.jar
+   reason: Disputed CVE and we do not use the vulnerable component (BubbleXYItemLabelGenerator.java)
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.jfree/jfreechart@.*$</packageUrl>
+    <vulnerabilityName>CVE-2024-23076</vulnerabilityName>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: thredds-5.5-SNAPSHOT.war: jfreechart-1.0.19.jar
+   reason: Disputed CVE and we do not use the vulnerable component (/chart/annotations/CategoryLineAnnotation)
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.jfree/jfreechart@.*$</packageUrl>
+    <vulnerabilityName>CVE-2024-22949</vulnerabilityName>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: file name: tds-ui-5.5-SNAPSHOT.tar: jfreechart-1.0.19.jar
+   reason: Disputed CVE and we do not use the vulnerable component (/chart/annotations/CategoryLineAnnotation)
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.jfree/jfreechart@.*$</packageUrl>
+    <vulnerabilityName>CVE-2024-22949</vulnerabilityName>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: thredds-5.5-SNAPSHOT.war: jfreechart-1.0.19.jar
+   reason: Disputed CVE and we do not use the vulnerable function (setSeriesNeedle)
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.jfree/jfreechart@.*$</packageUrl>
+    <vulnerabilityName>CVE-2023-52070</vulnerabilityName>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: file name: tds-ui-5.5-SNAPSHOT.tar: jfreechart-1.0.19.jar
+   reason: Disputed CVE and we do not use the vulnerable function (setSeriesNeedle)
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.jfree/jfreechart@.*$</packageUrl>
+    <vulnerabilityName>CVE-2023-52070</vulnerabilityName>
+  </suppress>
 </suppressions>