Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $
You can buy this project and download/modify it how often you want.
endency-check-core.10.0.1.source-code.dependencycheck-base-suppression.xml Maven / Gradle / Ivy
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress base="true">
<notes><![CDATA[
obvious fp - currently not returning any CVEs
]]></notes>
<packageUrl regex="true">^pkg:maven/commons\-cli/commons\-cli@.*$</packageUrl>
<cpe>cpe:/a:spirit-project:spirit</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
obvious fp - currently not returning any CVEs
]]></notes>
<packageUrl regex="true">^pkg:maven/javax\.xml\.bind/jaxb\-api@.*$</packageUrl>
<cpe>cpe:/a:oracle:java_se</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
obvious fp - currently not returning any CVEs
]]></notes>
<packageUrl regex="true">^pkg:maven/joda\-time/joda\-time@.*$</packageUrl>
<cpe>cpe:/a:time_project:time</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
obvious fp - currently not returning any CVEs
]]></notes>
<packageUrl regex="true">^pkg:maven/javax\.ws\.rs/javax\.ws\.rs\-api@.*$</packageUrl>
<cpe>cpe:/a:oracle:web_services</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
obvious fp - currently not returning any CVEs
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.sonatype\.ossindex/ossindex\-service\-api@.*$</packageUrl>
<cpe>cpe:/a:service_project:service</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4199
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.sonarsource\.scanner\.gradle/sonarqube-gradle-plugin@.*$</packageUrl>
<cpe>cpe:/a:sonarsource:sonarqube</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
fp per #3938
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.quarkus/quarkus\-fs\-util@.*$</packageUrl>
<cpe>cpe:/a:quarkus:quarkus</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
fp per #3940
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.james/apache\-mime4j\-storage@.*$</packageUrl>
<cpe>cpe:/a:storage_project:storage</cpe>
<cpe>cpe:/a:apache:james</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
fp per #3945 & #3943
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.quarkus/quarkus\-hibernate\-orm.*$</packageUrl>
<cpe>cpe:/a:hibernate:hibernate_orm</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
fp per #4097
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.quarkus/quarkus\-hibernate\-validator@.*$</packageUrl>
<cpe>cpe:/a:redhat:hibernate_validator</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
only log4j-core is vulnerable
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.logging\.log4j/log4j\-slf4j\-impl@.*$</packageUrl>
<cpe>cpe:/a:apache:log4j</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
only log4j-core is vulnerable
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.logging\.log4j/log4j\-(api|web)@.*$</packageUrl>
<cve>CVE-2021-44228</cve>
<cve>CVE-2021-44832</cve>
<cve>CVE-2021-45046</cve>
<cve>CVE-2021-45105</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #3778
]]></notes>
<packageUrl regex="true">.*unicode.*$</packageUrl>
<cpe>cpe:/a:unicode:unicode</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #3131
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.typesafe\.akka/akka\-stream\-contrib_2\.13@.*$</packageUrl>
<cpe>cpe:/a:akka:akka</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #3652
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.zalando/spring\-boot\-etcd@.*$</packageUrl>
<cpe>cpe:/a:etcd:etcd</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #3678
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.salesforce\.servicelibs/reactive\-grpc.*$</packageUrl>
<cpe>cpe:/a:grpc:grpc</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #3685
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.geronimo\.config/geronimo\-config\-impl@.*$</packageUrl>
<cpe>cpe:/a:apache:geronimo</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #3749
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.reactivex/rxjava@.*$</packageUrl>
<cpe>cpe:/a:travis-ci:travis_ci</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #3776
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.seleniumhq\.selenium/selenium\-chromium\-driver@.*$</packageUrl>
<cpe>cpe:/a:chromium:chromium</cpe>
<cpe>cpe:/a:chromium_project:chromium</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #3756
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.geronimo\.specs/geronimo\-ws\-metadata_2\.0_spec@.*$</packageUrl>
<cpe>cpe:/a:tad_web_project:tad_web</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #3572
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.spark\-project\.spark/unused@.*$</packageUrl>
<cpe>cpe:/a:apache:spark</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #3572
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.directory\.server/apacheds\-i18n@.*$</packageUrl>
<cpe>cpe:/a:i18n_project:i18n</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
swift-log is not swift...
]]></notes>
<packageUrl regex="true">^pkg:swift/swift\-log@.*$</packageUrl>
<cpe>cpe:/a:apple:swift</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP in jetty as jetty-jakarta-servlet-api is identified as a low version jetty
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty\.toolchain/jetty\-jakarta\-servlet\-api@.*$</packageUrl>
<cpe>cpe:/a:eclipse:jetty</cpe>
<cpe>cpe:/a:jetty:jetty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #3331
]]></notes>
<packageUrl regex="true">^pkg:npm/%40babel%2Fcli@.*$</packageUrl>
<cve>CVE-2017-16060</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
nio-stream-storage is not 'github.com/containers/storage'. see #3273
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.synchronoss\.cloud/nio\-stream\-storage@.*$</packageUrl>
<cpe>cpe:/a:storage_project:storage</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #3241
]]></notes>
<gav regex="true">^io\.awspring\.cloud:spring-cloud-.*$</gav>
<cpe>cpe:/a:pivotal_software:spring_framework</cpe>
<cpe>cpe:/a:pivotal_software:spring_framework</cpe>
<cpe>cpe:/a:context_project:context</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #3230
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.github\.x\-stream/mxparser@.*$</packageUrl>
<cpe>cpe:/a:xstream_project:xstream</cpe>
<cpe>cpe:/a:oracle:jdk</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #3073
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.pivotal\.cfenv/java\-cfenv\-boot\-pivotal\-scs@.*$</packageUrl>
<cpe>cpe:/a:pivotal_software:spring_boot</cpe>
<cpe>cpe:/a:pivotal_software:spring_framework</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #3053
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.seleniumhq\.selenium/selenium\-opera\-driver@.*$</packageUrl>
<cpe>cpe:/a:opera:opera</cpe>
<cpe>cpe:/a:opera_software:opera</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #3000
]]></notes>
<packageUrl regex="true">^pkg:(generic|nuget)/(ProcessSnapshotCleanup|QTAgent.{0,10}|QTDCAgent|QTDCAgent32|TDEnvCleanup|UiaComWrapper|VSTestVideoRecorder|VisualStudioDatastoreConfigurationProvider|msdia140typelib_clr0200)@.*$</packageUrl>
<cpe>cpe:/a:microsoft:visual_studio</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #3000
]]></notes>
<packageUrl regex="true">^pkg:(generic|nuget)/(Microsoft\.)?(IntelliTrace|TestPlatform|VisualStudio\.).*$</packageUrl>
<cpe>cpe:/a:microsoft:visual_studio</cpe>
<cpe>cpe:/a:microsoft:ie</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #3000
]]></notes>
<filePath regex="true">.*\.TestTools\..*\.dll</filePath>
<cpe>cpe:/a:microsoft:visual_studio</cpe>
<cpe>cpe:/a:microsoft:ie</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #3000
]]></notes>
<packageUrl regex="true">^pkg:(generic|nuget)/Microsoft\.Dia.*$</packageUrl>
<cpe>cpe:/a:dia:dia</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #3021
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.helidon\.microprofile\.server/helidon\-microprofile\-server@.*$</packageUrl>
<cpe>cpe:/a:oracle:http_server</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #3015 & #3016
]]></notes>
<packageUrl regex="true">^pkg:maven/co\.elastic\.apm/apm\-.*$</packageUrl>
<cpe>cpe:/a:grpc:grpc</cpe>
<cpe>cpe:/a:apache:httpclient</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #3005
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.google\.apis/google\-api\-services\-sqladmin@.*$</packageUrl>
<cpe>cpe:/a:www-sql_project:www-sql</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #3005
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.google\.cloud\.sql/jdbc\-socket\-factory\-core@.*$</packageUrl>
<cpe>cpe:/a:www-sql_project:www-sql</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #3004
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.r2dbc/r2dbc\-postgresql@.*$</packageUrl>
<cpe>cpe:/a:postgresql:postgresql</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4160
]]></notes>
<packageUrl regex="true">^pkg:maven/.*vertx-pg-client@.*$</packageUrl>
<cpe>cpe:/a:postgresql:postgresql</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #3002
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.opencensus/opencensus\-contrib\-grpc\-metrics@.*$</packageUrl>
<cpe>cpe:/a:grpc:grpc</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #3002, CVE is for grpc-js and c
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.grpc/grpc\-.*$</packageUrl>
<cve>CVE-2020-7768</cve>
<cve>CVE-2017-7861</cve>
<cve>CVE-2017-8359</cve>
<cve>CVE-2017-9431</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #3002, CVE is for grpc-js and c
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.google\.api\.grpc/grpc\-google\-common\-protos@.*$</packageUrl>
<cve>CVE-2020-7768</cve>
<cve>CVE-2017-7861</cve>
<cve>CVE-2017-8359</cve>
<cve>CVE-2017-9431</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #3002, CVE is for grpc-js
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.lightstep\.tracer/.*$</packageUrl>
<cpe>cpe:/a:grpc:grpc</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #3001
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.google\.http\-client/google\-http\-client@.*$</packageUrl>
<cpe>cpe:/a:apache:httpclient</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2999
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.github\.jhipster/jhipster\-framework@.*$</packageUrl>
<cve>CVE-2019-16303</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2982
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.mybatis/mybatis\-spring@.*$</packageUrl>
<cpe>cpe:/a:mybatis:mybatis</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2978
]]></notes>
<packageUrl regex="true">^pkg:(generic|nuget)/Microsoft\.IdentityModel\.Protocols\.OpenIdConnect@.*$</packageUrl>
<cpe>cpe:/a:microsoft:identitymodel</cpe>
<cpe>cpe:/a:openid:openid</cpe>
<cpe>cpe:/a:openid:openid_connect</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2972
]]></notes>
<packageUrl regex="true">^pkg:composer/php\-.*$</packageUrl>
<cpe>cpe:/a:php:php</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2957
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.jboss\.resteasy/resteasy\-spring\-boot\-starter@.*$</packageUrl>
<cpe>cpe:/a:redhat:resteasy</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2956
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.github\.docker\-java/docker\-java.*$</packageUrl>
<cpe>cpe:/a:docker:docker</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2940
]]></notes>
<packageUrl regex="true">^pkg:npm/cross\-env@.*$</packageUrl>
<cpe>cpe:/a:crossenv_project:crossenv</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2955
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.micrometer/micrometer\-core@.*$</packageUrl>
<cpe>cpe:/a:vmware:ace</cpe>
<cpe>cpe:/a:vmware:vmware_ace</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2594
]]></notes>
<packageUrl regex="true">^pkg:maven/ch\.qos\.logback\.contrib/.*$</packageUrl>
<cpe>cpe:/a:logback:logback</cpe>
<cpe>cpe:/a:qos:logback</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2395
]]></notes>
<packageUrl regex="true">^pkg:maven/be\.sysa\.log\-sanitizer/log\-sanitizer\-logback@.*$</packageUrl>
<cpe>cpe:/a:logback:logback</cpe>
<cpe>cpe:/a:qos:logback</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2928
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.graalvm.*$</packageUrl>
<cpe>cpe:/a:oracle:openjdk</cpe>
<cpe>cpe:/a:sun:openjdk</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2928
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.graalvm\..*$</packageUrl>
<cpe>cpe:/a:oracle:graalvm</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2928
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.graalvm/graal\-sdk@.*$</packageUrl>
<cpe>cpe:/a:oracle:graalvm</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2928
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.graalvm/launcher\-common@.*$</packageUrl>
<cpe>cpe:/a:oracle:graalvm</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2928
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.graalvm/polyglot\-tck@.*$</packageUrl>
<cpe>cpe:/a:oracle:graalvm</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2923
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.netbeans\.external/.*$</packageUrl>
<cpe>cpe:/a:apache:netbeans</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2975
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.itextpdf\.tool/xfa\-.*$</packageUrl>
<cpe>cpe:/a:itextpdf:itext</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2974
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.itextpdf/xfa\-.*$</packageUrl>
<cpe>cpe:/a:itextpdf:itext</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2433
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.itextpdf/typography@.*$</packageUrl>
<cpe>cpe:/a:itextpdf:itext</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2433
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.itextpdf/itext\-licensekey\-volume@.*$</packageUrl>
<cpe>cpe:/a:itextpdf:itext</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2453
TODO - there are likely several other testcontainer suppressions that should be added
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.testcontainers/postgresql@.*$</packageUrl>
<cpe>cpe:/a:postgresql:postgresql</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2464 Java implementation of a C# lib - CPE is for the C# version
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.msgpack/msgpack@.*$</packageUrl>
<cpe>cpe:/a:messagepack:messagepack</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2489
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.dropwizard\.logback/logback\-throttling\-appender@.*$</packageUrl>
<cpe>cpe:/a:logback:logback</cpe>
<cpe>cpe:/a:qos:logback</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
This suppresses false positives for Microsoft.VisualStudio.QualityTools.UnitTestFramework.dll.
]]></notes>
<filePath regex="true">.*Microsoft\.VisualStudio\.QualityTools\.UnitTestFramework*\.dll</filePath>
<cve>CVE-2014-3802</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
This suppresses false positives for EntityFramework.SqlServer.dll.
]]></notes>
<filePath regex="true">.*EntityFramework\.SqlServer*\.dll</filePath>
<cpe>cpe:/a:microsoft:server:6.0.0.0</cpe>
<cpe>cpe:/a:microsoft:sql_server:6.0</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2242
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.bouncycastle.*$</packageUrl>
<cpe>cpe:/a:oracle:jdk</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2247 CVE candidate was withdrawn by the CNA
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.owasp\.antisamy/antisamy@.*$</packageUrl>
<vulnerabilityName>CVE-2018-1000643</vulnerabilityName>
</suppress>
<suppress base="true">
<notes><![CDATA[
This suppresses false positives identified on spring security.
]]></notes>
<filePath regex="true">.*spring-security-[^\\/]*\.jar$</filePath>
<cpe>cpe:/a:mod_security:mod_security</cpe>
<cpe>cpe:/a:springsource:spring_framework</cpe>
<cpe>cpe:/a:vmware:springsource_spring_framework</cpe>
<cpe>cpe:/a:pivotal:spring_framework</cpe>
<cpe>cpe:/a:pivotal_software:spring_framework</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
This suppreses additional false positives for the xstream library that occur because spring has a copy of this library.
com.springsource.com.thoughtworks.xstream-1.3.1.jar
]]></notes>
<gav regex="true">com\.thoughtworks\.xstream:xstream:.*</gav>
<cpe>cpe:/a:springsource:spring_framework</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives on velocity tools.
]]></notes>
<gav regex="true">org\.apache\.velocity:velocity-tools:.*</gav>
<cpe>cpe:/a:apache:struts</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
1. Sandbox is a php blog platform and should not be flagged as a CPE for java or .net dependencies.
2. Open media is php and won't be in a jar, dll, etc. See issue #814.
3. / 4. file and file_project are not assembiles or java libraries
5. / 6. Shim is *nix and is not an assembly or java lib.
7. date_project is a drupal library
8. net dns is a php module
9. / 10. Even if a node.js package exists - we aren't flagging the entire node.js
11. Context project is drupal plugin
12. mail_project is ruby library
13. ldap_project is part of type3 written in php
14. user import project is used in drupal (i.e. php)
15. root is a c++ project https://github.com/root-project/root/
16. xml_sec is a C library for XML security
17. rest easy project is ruby library
18. hub_project is a ruby library (#1130)
19. views_project is a drupal plugin (#1077)
20. restful_web_services_project:restful_web_services is a drupal plugin (#1077)
21. php (the language) is not a Java/.NET/NodeJS library
22. font_project is a php library (#1166)
23. amazon_aws_project is a drupal utility (#1290)
24. google android should not be flagged for the base library
25. first_project first is an Ethereum smart contract (#1588)
26. interact is a php project (#1609)
27. finder is drupal plugin (#1626)
28. archiver project is a golang module (#1627)
29. r_project is the r programming language
30. cpe:/a:jwt_project:jwt is a php library (#1697)
31. remove FP on git
32. remove FP on git
33. remove FP on git
34. Suppresses false positives on .NET mono
35. Suppresses false positives on .NET mono
36. Suppresses false positives on .NET mono
37. app_project is an electron project. #1549
38. <cpe>cpe:/a:json-jwt_project:json-jwt</cpe> is a ruby lib #1791
39. <cpe>cpe:/a:zip_project:zip</cpe> is an etherium related project #1788
40. <cpe>cpe:/a:echo_project:echo</cpe> is a php media wiki project #1786
41. <cpe>cpe:/a:util-linux_project:util-linux</cpe> c util on linux #2069
42. <cpe>cpe:/a:bitmap_project:bitmap</cpe> is a C library #1961
43. <cpe>cpe:/a:security-framework_project:security-framework</cpe> is a rust library
44. <cpe>cpe:/a:next:next</cpe> is NeXT system.
45. <cpe>cpe:/a:property_pro:property_pro</cpe> is classic ASP
46. <cve>CVE-2020-10663</cve> is a ruby vulnerability
47. Facebook is not a dependency
48. gitlab is not a depenency #2567 and is built using ruby
49. DeleGate is a C-language application #2435
50. thread_project - etherium token (https://nvd.nist.gov/vuln/detail/CVE-2018-13752) #1718
51. data_tools is a python library #1667
52. tag project is a GO implemention #3047 & #3043
53. kubernetes:kubernetes is a GO implementation #1035 & #1056 & #1880 & #3529 & #3530 &
54. aaugustin websockets is a python library #3460
55. cron_project:cron is a linux C application #3548
56. html2pdf_project:html2pdf is a PHP framework #4021, #4251
57. shadow_project:shadow is a suite of C-applications on Linux #4237
58. Common Desktop Environment is an X11 GUI environment coded in C for Unix #4346 , #4347, #4348
59. docker:docker is a go implementation #4025
60. travis-ci:travis_ci is ci server software build in ruby/shell/go #4025
61. cpe:/a:storage_project:storage is software build in go (the github.com/containers/storage project) #4436
62. cpe:/a:pivotal_software:rabbitmq is software build in Erlang #4178
63. cpe:/a:saml_project:saml is a SAML implementation in Go #5167
64. cpe:/a:yaml_project:yaml is a YAML implementation in Go #5233 and #5234
]]></notes>
<filePath regex="true">.*(\.(dll|jar|ear|war|pom|nupkg|nuspec|aar)|pom\.xml|package.json|packages.config)$</filePath>
<cpe>cpe:/a:sandbox:sandbox</cpe>
<cpe>cpe:/a:openmedia:openmedia</cpe>
<cpe>cpe:/a:file_project:file</cpe>
<cpe>cpe:/a:file:file</cpe>
<cpe>cpe:/a:shim:shim</cpe>
<cpe>cpe:/a:shim_project:shim</cpe>
<cpe>cpe:/a:date_project:date</cpe>
<cpe>cpe:/a:net_dns:net_dns</cpe>
<cpe>cpe:/a:nodejs:node.js</cpe>
<cpe>cpe:/a:nodejs:nodejs</cpe>
<cpe>cpe:/a:context_project:context</cpe>
<cpe>cpe:/a:mail_project:mail</cpe>
<cpe>cpe:/a:ldap_project:ldap</cpe>
<cpe>cpe:/a:user_import_project:user_import</cpe>
<cpe>cpe:/a:root:root</cpe>
<cpe>cpe:/a:xmlsec_project:xmlsec</cpe>
<cpe>cpe:/a:rest-client_project:rest-client</cpe>
<cpe>cpe:/a:hub_project:hub</cpe>
<cpe>cpe:/a:views_project:views</cpe>
<cpe>cpe:/a:restful_web_services_project:restful_web_services</cpe>
<cpe>cpe:/a:php:php</cpe>
<cpe>cpe:/a:font_project:font</cpe>
<cpe>cpe:/a:amazon_aws_project:amazon_aws</cpe>
<cpe>cpe:/a:google:android</cpe>
<cpe>cpe:/a:first_project:first</cpe>
<cpe>cpe:/a:interact:interact</cpe>
<cpe>cpe:/a:finder_project:finder</cpe>
<cpe>cpe:/a:archiver_project:archiver</cpe>
<cpe>cpe:/a:r_project:r</cpe>
<cpe>cpe:/a:jwt_project:jwt</cpe>
<cpe>cpe:/a:git_project:git</cpe>
<cpe>cpe:/a:git:git</cpe>
<cpe>cpe:/a:git_for_windows_project:git_for_windows</cpe>
<cpe>cpe:/a:mono-project:mono</cpe>
<cpe>cpe:/a:mono:mono</cpe>
<cpe>cpe:/a:mono_project:mono</cpe>
<cpe>cpe:/a:app_project:app</cpe>
<cpe>cpe:/a:json-jwt_project:json-jwt</cpe>
<cpe>cpe:/a:zip_project:zip</cpe>
<cpe>cpe:/a:echo_project:echo</cpe>
<cpe>cpe:/a:util-linux_project:util-linux</cpe>
<cpe>cpe:/a:bitmap_project:bitmap</cpe>
<cpe>cpe:/a:security-framework_project:security-framework</cpe>
<cpe>cpe:/a:next:next</cpe>
<cpe>cpe:/a:property_pro:property_pro</cpe>
<cve>CVE-2020-10663</cve>
<cpe>cpe:/a:facebook:facebook</cpe>
<cpe>cpe:/a:gitlab:gitlab</cpe>
<cpe>cpe:/a:delegate:delegate</cpe>
<cpe>cpe:/a:thread_project:thread</cpe>
<cpe>cpe:/a:data_tools_project:data_tools</cpe>
<cpe>cpe:/a:tag_project:tag</cpe>
<cpe>cpe:/a:kubernetes:kubernetes</cpe>
<cpe>cpe:/a:websockets_project:websockets</cpe>
<cpe>cpe:/a:cron_project:cron</cpe>
<cpe>cpe:/a:html2pdf_project:html2pdf</cpe>
<cpe>cpe:/a:shadow_project:shadow</cpe>
<cpe>cpe:/a:cde:cde</cpe>
<cpe>cpe:/a:docker:docker</cpe>
<cpe>cpe:/a:travis-ci:travis_ci</cpe>
<cpe>cpe:/a:storage_project:storage</cpe>
<cpe>cpe:/a:pivotal_software:rabbitmq</cpe>
<cpe>cpe:/a:saml_project:saml</cpe>
<cpe>cpe:/a:yaml_project:yaml</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppress false positives by technology:
1. dash
2. node.js modules (#1095)
3. active directory (#1091)
4. active directory (#1091)
5. active directory (#1091)
6. snmp (#1248)
7. snmp (#1248)
8. python (#1055)
9. python (#1055)
10. CVE-2017-16046 is for the node.js npm mariadb client (#1364)
11. sqlserver_project is a node js module (#1388)
12. auth0 is a javascript library (#1925)
13. JAR files should not be identified as github
14. <cpe>cpe:/a:data-tools_project:data_tools</cpe> is a python project #1961
15. flow_project reports an Ethereum token issue
16. ghost CMS is a node.js package (#3203)
17. ws_project is a node websocket client (#1535)
18. i18n_project is a node.js i18n module (#3350) (#3352) (#3353)
19. redis:redis is a C project #3744, #3814, #3840, #3841
20. perl:perl is a C project #4254
]]></notes>
<filePath regex="true">.*(\.(jar|ear|war|pom)|pom\.xml)$</filePath>
<cpe>cpe:/a:dash:dash</cpe>
<cpe>cpe:/a:mustache.js_project:mustache.js</cpe>
<cpe>cpe:/a:microsoft:active_directory</cpe>
<cpe>cpe:/a:microsoft:active_directory_federation_services</cpe>
<cpe>cpe:/a:microsoft:active_directory_services</cpe>
<cpe>cpe:/a:snmp:snmp</cpe>
<cpe>cpe:/a:net-snmp:net-snmp</cpe>
<cpe>cpe:/a:python:python</cpe>
<cpe>cpe:/a:python_software_foundation:python</cpe>
<cve>CVE-2017-16046</cve>
<cpe>cpe:/a:sqlserver_project:sqlserver</cpe>
<cpe>cpe:/a:auth0:auth0</cpe>
<cpe>cpe:/a:github:github</cpe>
<cpe>cpe:/a:data-tools_project:data_tools</cpe>
<cpe>cpe:/a:flow_project:flow</cpe>
<cpe>cpe:/a:ghost:ghost</cpe>
<cpe>cpe:/a:ws_project:ws</cpe>
<cpe>cpe:/a:i18n_project:i18n</cpe>
<cpe>cpe:/a:redis:redis</cpe>
<cpe>cpe:/a:perl:perl</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per #2511
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.vaadin/vaadin\-sass\-compiler@.*$</packageUrl>
<cpe>cpe:/a:compile-sass_project:compile-sass</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per #2512
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.poi/ooxml\-schemas@.*$</packageUrl>
<cpe>cpe:/a:apache:poi</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per #2549
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.jboss\.eap/wildfly\-client\-properties@.*$</packageUrl>
<cpe>cpe:/a:redhat:wildfly</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives
]]></notes>
<packageUrl regex="true">^pkg:npm/rc@.*$</packageUrl>
<cpe>cpe:/a:rc_project:rc</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per #2820
]]></notes>
<packageUrl regex="true">^pkg:(generic|nuget)/(microsoft\.)?jQuery[\.-].*$</packageUrl>
<cpe>cpe:/a:jquery:jquery</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: System.Security.Cryptography.OpenSsl.dll
]]></notes>
<packageUrl regex="true">^pkg:(generic|nuget)/System\.Security\.Cryptography\.OpenSsl@.*$</packageUrl>
<cpe>cpe:/a:openssl:openssl</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: Microsoft.Bcl.AsyncInterfaces.dll
]]></notes>
<packageUrl regex="true">^pkg:(generic|nuget)/Microsoft\.Bcl\.AsyncInterfaces@.*$</packageUrl>
<cpe>cpe:/a:microsoft:.net_core</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per #2819
]]></notes>
<packageUrl regex="true">^pkg:(generic|nuget)/Microsoft\.DiaSymReader\.Native\.arm@.*$</packageUrl>
<cpe>cpe:/a:microsoft:visual_studio</cpe>
<cpe>cpe:/a:microsoft:visual_studio_2017</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per #2819
]]></notes>
<packageUrl regex="true">^pkg:(generic|nuget)/Microsoft\.DiaSymReader\.Native@.*$</packageUrl>
<cpe>cpe:/a:dia:dia</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per #2882 and #3562 and #3828 and #4423
]]></notes>
<packageUrl regex="true">^pkg:maven/(io\.quarkus/quarkus\-|io\.smallrye).*mutiny.*@.*$</packageUrl>
<cpe>cpe:/a:mutiny:mutiny</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positive per #3827 - this library is not the github.com/containers/storage project
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.smallrye/smallrye\-context\-propagation\-storage@.*$</packageUrl>
<cpe>cpe:/a:storage_project:storage</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per #1396.
]]></notes>
<gav regex="true">^org\.mitre:openid-connect-client:.*$</gav>
<cpe>cpe:/a:openid:openid_connect</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per #1563.
]]></notes>
<gav regex="true">^de\.siegmar:logback-gelf:.*$</gav>
<cpe>cpe:/a:logback:logback</cpe>
<cpe>cpe:/a:qos:logback</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per #2628
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.prometheus\.jmx/.*$</packageUrl>
<cve>CVE-2019-3826</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per #2001 & #2109
]]></notes>
<gav regex="true">^io\.prometheus:simple.*$</gav>
<cve>CVE-2019-3826</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per #2109
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.prometheus/simpleclient_logback@.*$</packageUrl>
<cpe>cpe:/a:logback:logback</cpe>
<cpe>cpe:/a:qos:logback</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per #1573, #3889 and #4065
]]></notes>
<gav regex="true">^io\.netty:netty-tcnative.*$</gav>
<cpe regex="true">^cpe:/a:netty(_project)?:netty.*$</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives on Jersey core client.
]]></notes>
<gav regex="true">(com\.sun\.jersey|org\.glassfish\.jersey\.core):jersey-(client|common):.*</gav>
<cpe>cpe:/a:oracle:glassfish</cpe>
<cpe>cpe:/a:oracle:oracle_client</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per issue #1614.
]]></notes>
<gav regex="true">^eu\.bitwalker:UserAgentUtils:.*$</gav>
<cpe>cpe:/a:useragent_project:useragent</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per issue 2246
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.ehcache/ehcache@.*$</packageUrl>
<cpe>cpe:/a:gradle:gradle</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per issue #1599
]]></notes>
<gav regex="true">^com\.atlassian\.http:atlassian-http:.*$</gav>
<cpe>cpe:/a:atlassian:bitbucket</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per issue #1594
]]></notes>
<gav regex="true">^org\.jfrog\.artifactory\.client:artifactory-java-client-api:.*$</gav>
<cve>CVE-2016-6501</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per issue #1590
]]></notes>
<gav regex="true">^com\.cybersource:flex-server-sdk:.*$</gav>
<cpe>cpe:/a:flex_project:flex</cpe>
<cpe>cpe:/a:id:id-software</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2627
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.minio/minio@.*$</packageUrl>
<cve>CVE-2018-1000538</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2627
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.minio/minio@.*$</packageUrl>
<cve>CVE-2020-11012</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per issue #1587
]]></notes>
<gav regex="true">^org\.apache\.felix:org\.apache\.felix\.configadmin:.*$</gav>
<cpe>cpe:/a:cm_project:cm</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2859
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.atlassian\.httpclient/atlassian\-httpclient\-library@.*$</packageUrl>
<cpe>cpe:/a:apache:httpclient</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2835
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.scanbot/scanbot\-sdk\-imageprocessing@.*$</packageUrl>
<cpe>cpe:/a:image_processing_software:image_processing_software</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2794
]]></notes>
<packageUrl regex="true">^pkg:maven/co\.elastic\.apm/apm\-grails\-plugin@.*$</packageUrl>
<cpe>cpe:/a:grails:grails</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2673 and #2672
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.geronimo/geronimo\-(health|metrics(-common)?)@.*$</packageUrl>
<cpe>cpe:/a:apache:geronimo</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2652
]]></notes>
<packageUrl regex="true">^pkg:maven/net\.sf\.jasperreports/jasperreports@.*$</packageUrl>
<cve>CVE-2020-9410</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2756
]]></notes>
<packageUrl regex="true">^pkg:maven/co\.elastic\.logging/logback\-ecs\-encoder@.*$</packageUrl>
<cpe>cpe:/a:logback:logback</cpe>
<cpe>cpe:/a:qos:logback</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2768
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.evolvis\.tartools/rfc822@.*$</packageUrl>
<cpe>cpe:/a:man-cgi_project:man-cgi</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2711
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.typesafe\.play/shaded\-oauth@.*$</packageUrl>
<cpe>cpe:/a:playframework:play_framework</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2703
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.slf4j/log4j\-over\-slf4j@.*$</packageUrl>
<cpe>cpe:/a:apache:log4j</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2768
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.tomcat\.embed/tomcat\-embed\-core@.*$</packageUrl>
<cve>CVE-2020-8022</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2683
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.typesafe\.play/cachecontrol_2\.13@.*$</packageUrl>
<cpe>cpe:/a:playframework:play_framework</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1664
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.camel/camel\-servicenow(\-starter)?@.*$</packageUrl>
<cpe>cpe:/a:apache:camel</cpe>
<cpe>cpe:/a:servicenow:servicenow</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1664
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.camel/json\-simple\-ordered@.*$</packageUrl>
<cpe>cpe:/a:apache:camel</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2678
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.camel/camel\-cxf@.*$</packageUrl>
<cpe>cpe:/a:apache:cxf</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2678
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.camel/camel\-cxf\-transport@.*$</packageUrl>
<cpe>cpe:/a:apache:cxf</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2859
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.atlassian\.jira/jira\-rest\-java\-client\-api@.*$</packageUrl>
<cpe>cpe:/a:atlassian:jira</cpe>
<cpe>cpe:/a:atlassian:jira_core</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2859
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.atlassian\.jira/jira\-rest\-java\-client\-core@.*$</packageUrl>
<cpe>cpe:/a:atlassian:jira</cpe>
<cpe>cpe:/a:atlassian:jira_core</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2859
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.atlassian\.jira/jira\-rest\-java\-client\-app@.*$</packageUrl>
<cpe>cpe:/a:atlassian:jira</cpe>
<cpe>cpe:/a:atlassian:jira_core</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per issue #2298
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.github\.docker\-java/docker\-java@.*$</packageUrl>
<cpe>cpe:/a:docker:docker</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per issue #2310
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.itextpdf/itext\-licensekey@.*$</packageUrl>
<cpe>cpe:/a:itextpdf:itext</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per issue #2261
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.datomic/(?!datomic-free).*$</packageUrl>
<cpe>cpe:/a:cognitect:datomic</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per issue #1587
]]></notes>
<gav regex="true">^com\.liferay:org\.apache\.felix\.configadmin:.*$</gav>
<cpe>cpe:/a:cm_project:cm</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per issue #5048
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.liferay\.portal/com\.liferay\.util\.slf4j@.*$</packageUrl>
<cpe>cpe:/a:liferay:liferay</cpe>
<cpe>cpe:/a:liferay:liferay_portal</cpe>
<cpe>cpe:/a:liferay:portal</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5085
suppressing the liferay libraries that have a versioning scheme separate from the main framework version
but get linked to the framework CPE
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.liferay\.portal/com\.liferay\.portal\.impl@.*$</packageUrl>
<cpe>cpe:/a:liferay:liferay</cpe>
<cpe>cpe:/a:liferay:liferay_portal</cpe>
<cpe>cpe:/a:liferay:portal</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5085
suppressing the liferay libraries that have a versioning scheme separate from the main framework version
but get linked to the framework CPE
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.liferay\.portal/com\.liferay\.support\.tomcat@.*$</packageUrl>
<cpe>cpe:/a:liferay:liferay</cpe>
<cpe>cpe:/a:liferay:liferay_portal</cpe>
<cpe>cpe:/a:liferay:portal</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5085
suppressing the liferay libraries that have a versioning scheme separate from the main framework version
but get linked to the framework CPE
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.liferay\.portal/com\.liferay\.util\.bridges@.*$</packageUrl>
<cpe>cpe:/a:liferay:liferay</cpe>
<cpe>cpe:/a:liferay:liferay_portal</cpe>
<cpe>cpe:/a:liferay:portal</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5085
suppressing the liferay libraries that have a versioning scheme separate from the main framework version
but get linked to the framework CPE
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.liferay\.portal/com\.liferay\.util\.java@.*$</packageUrl>
<cpe>cpe:/a:liferay:liferay</cpe>
<cpe>cpe:/a:liferay:liferay_portal</cpe>
<cpe>cpe:/a:liferay:portal</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5085
suppressing the liferay libraries that have a versioning scheme separate from the main framework version
but get linked to the framework CPE
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.liferay\.portal/com\.liferay\.util\.taglib@.*$</packageUrl>
<cpe>cpe:/a:liferay:liferay</cpe>
<cpe>cpe:/a:liferay:liferay_portal</cpe>
<cpe>cpe:/a:liferay:portal</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5085
suppressing the liferay libraries that have a versioning scheme separate from the main framework version
but get linked to the framework CPE
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.liferay\.portal/com\.liferay\.portal\.test@.*$</packageUrl>
<cpe>cpe:/a:liferay:liferay</cpe>
<cpe>cpe:/a:liferay:liferay_portal</cpe>
<cpe>cpe:/a:liferay:portal</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5085
suppressing the liferay libraries that have a versioning scheme separate from the main framework version
but get linked to the framework CPE
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.liferay\.portal/com\.liferay\.portal\.kernel@.*$</packageUrl>
<cpe>cpe:/a:liferay:liferay</cpe>
<cpe>cpe:/a:liferay:liferay_portal</cpe>
<cpe>cpe:/a:liferay:portal</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5085
suppressing the liferay libraries that have a versioning scheme separate from the main framework version
but get linked to the framework CPE
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.liferay\.portletmvc4spring/com\.liferay\.portletmvc4spring\.test@.*$</packageUrl>
<cpe>cpe:/a:liferay:liferay</cpe>
<cpe>cpe:/a:liferay:liferay_portal</cpe>
<cpe>cpe:/a:liferay:portal</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5085
suppressing the liferay libraries that have a versioning scheme separate from the main framework version
but get linked to the framework CPE
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.liferay/biz\.aQute\.bnd\.annotation@.*$</packageUrl>
<cpe>cpe:/a:liferay:liferay</cpe>
<cpe>cpe:/a:liferay:liferay_portal</cpe>
<cpe>cpe:/a:liferay:portal</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per issue #1585
]]></notes>
<gav regex="true">^org\.apache\.geronimo\.javamail:geronimo-javamail_1\.4_mail:.*$</gav>
<cpe>cpe:/a:apache:geronimo</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per issue #1585
]]></notes>
<gav regex="true">^geronimo-spec:geronimo-spec-javamail:.*$</gav>
<cpe>cpe:/a:apache:geronimo</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per issue #1585
]]></notes>
<gav regex="true">^org\.apache\.geronimo\.javamail:geronimo-javamail_1\.4_provider:.*$</gav>
<cpe>cpe:/a:apache:geronimo</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per issue #2866
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.nimbusds/oauth2\-oidc\-sdk@.*$</packageUrl>
<cpe>cpe:/a:openid:openid</cpe>
<cpe>cpe:/a:openid:openid_connect</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per issue #3345
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.azure/azure\-core\-http\-netty@.*$</packageUrl>
<cpe>cpe:/a:netty:netty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses fp identified while testing #2686
]]></notes>
<packageUrl regex="true">^pkg:(nuget|generic)/Azure\.Core(_sdk)?@.*$</packageUrl>
<cpe>cpe:/a:microsoft:.net_core</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per issue #2865
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.microsoft\.azure/msal4j@.*$</packageUrl>
<cpe>cpe:/a:http_authentication_library_project:http_authentication_library</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per issue #2896
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.microsoft\.azure/msal4j@.*$</packageUrl>
<cpe>cpe:/a:http_authentication_library_project:http_authentication_library</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per issue #2896
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.nimbusds/oauth2\-oidc\-sdk@.*$</packageUrl>
<cpe>cpe:/a:openid:openid</cpe>
<cpe>cpe:/a:openid:openid_connect</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per issue 1581
]]></notes>
<gav regex="true">^org\.apache\.activemq:artemis.*$</gav>
<cpe>cpe:/a:apache:apache_http_server</cpe>
<cpe>cpe:/a:apache:http_server</cpe>
<cpe>cpe:/a:apache:activemq</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Supresses false positives on jersey-apache-client4
]]></notes>
<gav regex="true">com\.sun\.jersey\.contribs:jersey-apache-client.*</gav>
<cpe>cpe:/a:apache:httpclient</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives on glassfish and grizzly. Updated per issue #672.
]]></notes>
<gav regex="true">org\.glassfish(\.(web|grizzly)):.*(json|faces|jstl|grizzly).*</gav>
<cpe>cpe:/a:oracle:glassfish</cpe>
<cpe>cpe:/a:oracle:glassfish_server</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Akka FP per #2050
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.kamon/kamon\-akka.*$</packageUrl>
<cpe>cpe:/a:akka:akka</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1877
]]></notes>
<packageUrl regex="true">^pkg:maven\/org\.apache\.sling/org\.apache\.sling\.auth\.core@.*$</packageUrl>
<cpe regex="true">^cpe:/a:apache:sling(?!_auth_core).*$</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1877
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.sling/org\.apache\.sling\.(?!auth\.core).*$</packageUrl>
<cve>CVE-2013-4390</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1877
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.sling/org\.apache\.sling.*$</packageUrl>
<cve>CVE-2016-0956</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2026
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.undertow/.*$</packageUrl>
<cve>CVE-2018-1067</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2026 & #2077
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.undertow\..*$</packageUrl>
<cpe>cpe:/a:redhat:undertow</cpe>
<cpe>cpe:/a:oracle:jsp</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #872 - really not a fan of this as it appears several pieces of AspNetCore are
packaged under different names so you can grab a specific new bit of code. As
such, one may miss that the fix is in one of the sub components that is repackaged.
]]></notes>
<packageUrl regex="true">^pkg:(generic|nuget)/Microsoft\.AspNetCore\..*$</packageUrl>
<cpe>cpe:/a:microsoft:aspnetcore</cpe>
<cpe>cpe:/a:microsoft:asp.net_core</cpe>
<cpe>cpe:/a:microsoft:asp.net</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #872 - really not a fan of this as it appears several pieces of AspNetCore are
packaged under different names so you can grab a specific new bit of code. As
such, one may miss that the fix is in one of the sub components that is repackaged.
]]></notes>
<packageUrl regex="true">^pkg:(generic|nuget)/Microsoft\.Net\..*$</packageUrl>
<cpe>cpe:/a:microsoft:aspnetcore</cpe>
<cpe>cpe:/a:microsoft:asp.net_core</cpe>
<cpe>cpe:/a:microsoft:asp.net</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #872 - really not a fan of this as it appears several pieces of AspNetCore are
packaged under different names so you can grab a specific new bit of code. As
such, one may miss that the fix is in one of the sub components that is repackaged.
]]></notes>
<packageUrl regex="true">^pkg:(generic|nuget)/Microsoft\.Extensions\..*$</packageUrl>
<cpe>cpe:/a:microsoft:aspnetcore</cpe>
<cpe>cpe:/a:microsoft:asp.net_core</cpe>
<cpe>cpe:/a:microsoft:asp.net</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #872
]]></notes>
<packageUrl regex="true">^pkg:(generic|nuget)/Swashbuckle\..*$</packageUrl>
<cpe>cpe:/a:asp-project:asp-project</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #872
]]></notes>
<packageUrl regex="true">^pkg:(generic|nuget)/Microsoft\.AspNetCore\.JsonPatch@.*$</packageUrl>
<cpe>cpe:/a:json-patch_project:json-patch</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positives per issue #2821
]]></notes>
<packageUrl regex="true">^pkg:(generic|nuget)/Microsoft\.VisualStudio\.Web\.CodeGenerat.*$</packageUrl>
<cpe>cpe:/a:microsoft:visual_studio_code</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1968
]]></notes>
<packageUrl regex="true">^pkg:(generic|nuget)/Microsoft\.Win32\.Registry\.AccessControl@.*$</packageUrl>
<cpe>cpe:/a:microsoft:access</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1485
]]></notes>
<gav regex="true">^org\.sonatype\.plexus:plexus-sec-dispatcher:.*$</gav>
<cpe>cpe:/a:sec_project:sec</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1479
]]></notes>
<gav regex="true">^com.amazonaws:aws-java-sdk-simpleworkflow:.*$</gav>
<cpe>cpe:/a:flow_project:flow</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1479
]]></notes>
<gav regex="true">^com.amazonaws:aws-java-sdk-swf-libraries:.*$</gav>
<cpe>cpe:/a:flow_project:flow</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1229
]]></notes>
<gav regex="true">^org\.slf4j:((?!slf4j-ext).)*:.*$</gav>
<cve>CVE-2018-8088</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1027
]]></notes>
<gav regex="true">^com\.github\.danielwegener:logback-kafka-appender:.*$</gav>
<cpe>cpe:/a:logback:logback</cpe>
<cpe>cpe:/a:qos:logback</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
httpmime is not the same as th actual http client; suppressing this match.
]]></notes>
<gav regex="true">^org\.apache\.httpcomponents:httpmime:.*$</gav>
<cpe>cpe:/a:apache:httpclient</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2554
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty\.alpn/alpn\-api@.*$</packageUrl>
<cpe>cpe:/a:jetty:jetty</cpe>
<cpe>cpe:/a:eclipse:jetty</cpe>
<cpe>cpe:/a:mortbay_jetty:jetty</cpe>
<cpe>cpe:/a:mortbay:jetty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2553
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty/jetty\-reactive\-httpclient@.*$</packageUrl>
<cpe>cpe:/a:jetty:jetty</cpe>
<cpe>cpe:/a:eclipse:jetty</cpe>
<cpe>cpe:/a:mortbay_jetty:jetty</cpe>
<cpe>cpe:/a:mortbay:jetty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1515
]]></notes>
<gav regex="true">^org\.eclipse\.jetty\.alpn:alpn-api:.*$</gav>
<cpe>cpe:/a:eclipse:jetty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Resolve FP that caused ant task IT to fail.
]]></notes>
<gav regex="true">^jetty:org\.mortbay\.jetty:.*$</gav>
<cpe>cpe:/a:apache:http_server</cpe>
<cpe>cpe:/a:apache:apache_http_server</cpe>
<cpe>cpe:/a:free_java_web_server:free_java_web_server</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP on jetty-proxy
]]></notes>
<gav regex="true">^org\.eclipse\.jetty:jetty-proxy:.*$</gav>
<cpe>cpe:/a:eclipse:jetty</cpe>
<cpe>cpe:/a:jetty:jetty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positives found while investigating https://github.com/jeremylong/dependency-check-gradle/issues/103
]]></notes>
<gav regex="true">^com\.facebook\.android:facebook-android-sdk:.*$</gav>
<cpe>cpe:/a:facebook:facebook</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positives found while investigating https://github.com/jeremylong/dependency-check-gradle/issues/103
]]></notes>
<gav regex="true">^com\.amazonaws:aws-android-sdk-cognitoidentityprovider-asf:.*$</gav>
<cpe>cpe:/a:android:android_sdk</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Supression to remove incorrect match from the OSS Index per #2281.
]]></notes>
<packageUrl>pkg:maven/org.jsoup/[email protected] </packageUrl>
<vulnerabilityName>CVE-2015-6748</vulnerabilityName>
</suppress>
<suppress base="true">
<notes><![CDATA[
Hazelcast-AWS is not Hazelcast (see #2330)
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.hazelcast/hazelcast\-aws@.*$</packageUrl>
<cpe>cpe:/a:hazelcast:hazelcast</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Hazelcast-Kubernetes is not Hazelcast (see #2330)
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.hazelcast/hazelcast\-kubernetes@.*$</packageUrl>
<cpe>cpe:/a:hazelcast:hazelcast</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2571
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.hazelcast/hazelcast\-client\-protocol@.*$</packageUrl>
<cpe>cpe:/a:hazelcast:hazelcast</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Client library reported as the server (#2334)
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.rabbitmq/amqp\-client@.*$</packageUrl>
<cpe>cpe:/a:pivotal_software:rabbitmq</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Client library reported as the server (#2354)
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.zipkin\.reporter2/zipkin\-sender\-activemq\-client@.*$</packageUrl>
<cpe>cpe:/a:apache:activemq</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Library related to akka is being flagged as akka itself (#2339)
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.lightbend\.akka\.management/akka\-management_2\.12@.*$</packageUrl>
<cpe>cpe:/a:akka:akka</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Library related to akka is being flagged as akka itself (#2340)
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.github\.romix\.akka/akka\-kryo\-serialization_2\.12@.*$</packageUrl>
<cpe>cpe:/a:akka:akka</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Library related to prometheus is being flagged as prometheus itself (#2341)
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.kamon/kamon\-prometheus_2\.12@.*$</packageUrl>
<cpe>cpe:/a:prometheus:prometheus</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Joint FP CPE suppression for #2346, #2499, #2600, #3274, #4212 also covering future Kotlin extension libraries
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.jetbrains\.kotlinx/.*$</packageUrl>
<cpe>cpe:/a:jetbrains:kotlin</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positives found while investigating https://github.com/jeremylong/dependency-check-gradle/issues/103
]]></notes>
<gav regex="true">^org\.jetbrains:annotations:.*$</gav>
<cpe>cpe:/a:jetbrains:intellij_idea</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2031
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.wildfly/wildfly\-microprofile\-config\-implementation@.*$</packageUrl>
<cpe regex="true">cpe:/a:(wildfly|redhat):wildfly.*</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2202
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.wildfly.*(common|config|cli|naming|security|elytron|arquillian|ejb|weld|naming|manager|swarm|transaction|undertow).*$</packageUrl>
<cpe regex="true">cpe:/a:(wildfly|redhat):wildfly.*</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2047
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.openapitools/jackson\-databind\-nullable@.*$</packageUrl>
<cpe>cpe:/a:fasterxml:jackson</cpe>
<cpe>cpe:/a:fasterxml:jackson-databind</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives on the org.opensaml:xmltooling
FP per issue #945
FP per issue #2030
]]></notes>
<gav regex="true">org\.opensaml:xmltooling:.*</gav>
<cpe>cpe:/a:shibboleth:opensaml</cpe>
<cpe>cpe:/a:internet2:opensaml</cpe>
<cve>CVE-2015-0851</cve>
<cve>CVE-2019-9628</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP found when researching #1091
]]></notes>
<gav regex="true">^com\.nimbusds:nimbus-jose-jwt:.*$</gav>
<cpe>cpe:/a:jwt_project:jwt</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives on the org.opensaml:openws
]]></notes>
<gav regex="true">org\.opensaml:openws:.*</gav>
<cpe>cpe:/a:internet2:opensaml</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives for python:python.
]]></notes>
<filePath regex="true">.*(\.(whl|egg)|\b(site|dist)-packages\b.*)</filePath>
<cpe>cpe:/a:python:python</cpe>
<cpe>cpe:/a:python_software_foundation:python</cpe>
<cpe>cpe:/a:class:class</cpe>
<cpe>cpe:/a:file:file</cpe>
<cpe>cpe:/a:gnupg:gnupg</cpe>
<cpe>cpe:/a:mongodb:mongodb</cpe>
<cpe>cpe:/a:mozilla:mozilla</cpe>
<cpe>cpe:/a:openssl:openssl</cpe>
<cpe>cpe:/a:sendfile:sendfile</cpe>
<cpe>cpe:/a:sendmail:sendmail</cpe>
<cpe>cpe:/a:yacc:yacc</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives for com.google:.*
]]></notes>
<gav regex="true">com\.google(\.[a-zA-Z0-9_-]+)?:.*:.*</gav>
<cpe>cpe:/a:google:desktop</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives for non-android JARs from google.
]]></notes>
<gav regex="true">com\.google\.((?!android).)*:.*</gav>
<cpe>cpe:/a:google:android</cpe>
<cpe>cpe:/a:google:android_api</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives for android JARs in g:com.google.android
]]></notes>
<gav regex="true">com\.google\.android\..*:.*</gav>
<cpe>cpe:/a:google:android</cpe>
<cpe>cpe:/a:google:android_api</cpe>
<cpe>cpe:/a:google:google</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives for components within guava.
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.google\.guava/failureaccess@.*$</packageUrl>
<cpe>cpe:/a:google:guava</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives for components within guava.
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.google\.guava/listenablefuture@.*$</packageUrl>
<cpe>cpe:/a:google:guava</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives for components within guava.
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.h3xstream\.retirejs/retirejs\-core@.*$</packageUrl>
<cpe>cpe:/a:xstream_project:xstream</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses incorrect identification for bing ads.
]]></notes>
<gav regex="true">com.microsoft.bingads:microsoft.bingads:.*</gav>
<cpe>cpe:/a:microsoft:bing</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Oracle Jersey is flagged as glassfish.
]]></notes>
<gav regex="true">.*jersey.*</gav>
<cpe>cpe:/a:oracle:glassfish_server</cpe>
<cpe>cpe:/a:oracle:glassfish</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Oracle HK2 is flagged as glassfish.
]]></notes>
<gav regex="true">.*\bhk2\b.*</gav>
<cpe>cpe:/a:oracle:glassfish</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
HK2-utils is flagged as glassfish.
]]></notes>
<filePath regex="true">.*\bhk2-utils.*\.jar</filePath>
<cpe>cpe:/a:oracle:glassfish</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: petals-se-camel-1.0.0.jar - false positive for apache camel.
]]></notes>
<gav regex="true">org.ow2.petals:petals-se-camel:.*</gav>
<cpe>cpe:/a:apache:camel</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Mina gets flagged as apache-ssl
]]></notes>
<gav regex="true">org.apache.mina:mina.*</gav>
<cpe>cpe:/a:apache-ssl:apache-ssl</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Woden gets flagged as apache-ssl
]]></notes>
<gav regex="true">org.apache.woden:woden.*</gav>
<cpe>cpe:/a:apache-ssl:apache-ssl</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
spec gets flagged as the implementation.
]]></notes>
<gav regex="true">org.apache.geronimo.specs:.*</gav>
<cpe>cpe:/a:apache:geronimo</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2646
]]> </notes>
<packageUrl regex="true">^pkg:maven/dev\.miku/r2dbc\-mysql@.*$</packageUrl>
<cpe>cpe:/a:mysql:mysql</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2649
]]> </notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.tomcat/tomcat\-jni@.*$</packageUrl>
<cpe>cpe:/a:apache:tomcat</cpe>
<cpe>cpe:/a:apache_tomcat:apache_tomcat</cpe>
<cpe>cpe:/a:apache_software_foundation:tomcat</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
This suppresses false positives identified on tomcat-embed-el.
]]></notes>
<gav regex="true">org\.apache\.tomcat\.embed:tomcat-embed-el:.*</gav>
<cpe>cpe:/a:apache:tomcat</cpe>
<cpe>cpe:/a:apache_tomcat:apache_tomcat</cpe>
<cpe>cpe:/a:apache_software_foundation:tomcat</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
This suppresses false positives identified on tomcat-el-api and servlet api.
See #1437.
]]></notes>
<gav regex="true">^org\.apache\.tomcat:tomcat-(servlet|el)-api:.*$</gav>
<cpe>cpe:/a:apache:tomcat</cpe>
<cpe>cpe:/a:apache_tomcat:apache_tomcat</cpe>
<cpe>cpe:/a:apache_software_foundation:tomcat</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
This suppresses false positives identified on tomcat-jdbc.
]]></notes>
<gav regex="true">org\.apache\.tomcat:tomcat-jdbc:.*</gav>
<cpe>cpe:/a:apache:tomcat</cpe>
<cpe>cpe:/a:apache_tomcat:apache_tomcat</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
This suppresses false positives identified on tomcat-juli.
]]></notes>
<gav regex="true">org\.apache\.tomcat:tomcat-juli:.*</gav>
<cpe>cpe:/a:apache:tomcat</cpe>
<cpe>cpe:/a:apache_tomcat:apache_tomcat</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
suppress false positive per issue #433
]]></notes>
<gav regex="true">com\.google\.javascript:closure-compiler:.*</gav>
<cpe>cpe:/a:google:google_apps:-</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
suppress false positives per issue #437
]]></notes>
<gav regex="true">.*mongodb.*:.*:.*</gav>
<cpe>cpe:/a:mongodb:mongodb</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
suppress false positives per issue #1620
]]></notes>
<gav regex="true">^javax\.jmdns:jmdns:.*$</gav>
<cpe>cpe:/a:apple:</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
suppress false positives per issue #1621
]]></notes>
<gav regex="true">^org\.apache\.xbean:xbean.*$</gav>
<cpe>cpe:/a:apache:geronimo</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
suppress false positives per issue #1622
]]></notes>
<gav regex="true">^org\.openjdk\.jmh:jmh-core:.*$</gav>
<cpe>cpe:/a:sun:openjdk</cpe>
<cpe>cpe:/a:oracle:openjdk</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
suppress false positives per issue #1621
]]></notes>
<gav regex="true">^org\.apache\.geronimo\.components:geronimo-transaction:.*$</gav>
<cpe>cpe:/a:apache:geronimo</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
suppress false positives per issue #438
Note, there will be more false positives for Netty. Trying to figure out a better suppression.
]]></notes>
<gav regex="true">com.typesafe.netty:netty-http-pipelining:.*</gav>
<cpe regex="true">^cpe:/a:netty(_project)?:netty.*$</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
JVM instrumentation to Ganglia
]]></notes>
<gav regex="true">info\.ganglia\.gmetric4j:gmetric4j:.*</gav>
<cpe>cpe:/a:ganglia:ganglia</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
A reporter for Metrics which announces measurements to a Ganglia cluster
]]></notes>
<gav regex="true">io\.dropwizard\.metrics:metrics-ganglia:.*</gav>
<cpe>cpe:/a:ganglia:ganglia</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
drop wizard false positives
]]></notes>
<gav regex="true">io\.dropwizard:dropwizard-jetty:.*</gav>
<cpe>cpe:/a:jetty:jetty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
drop wizard false positives
]]></notes>
<gav regex="true">io\.dropwizard\.metrics:metrics-jetty:.*</gav>
<cpe>cpe:/a:jetty:jetty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positives per issue #1961 and #3918
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.gagravarr/vorbis\-java\-tika@.*$</packageUrl>
<cpe>cpe:/a:apache:tika</cpe>
<cpe>cpe:/a:flac_project:flac</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positive per issue #1961
]]></notes>
<packageUrl regex="true">^pkg:maven/edu\.usc\.ir/sentiment\-analysis\-parser@.*$</packageUrl>
<cpe>cpe:/a:apache:opennlp</cpe>
<cpe>cpe:/a:apache:tika</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per #1961.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.avro/avro\-mapred@.*$</packageUrl>
<cpe>cpe:/a:apache:hadoop</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per #1961. Scalap is not scala.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.scala\-lang/scalap@.*$</packageUrl>
<cpe>cpe:/a:scala-lang:scala</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per #1961. Scalap is not scala.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.scala\-lang/scalap@.*$</packageUrl>
<vulnerabilityName>CVE-2017-15288</vulnerabilityName>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per #1961. spark-sketch is not sketch - an vector drawing tool.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.spark/spark\-sketch_2\.\d+@.*$</packageUrl>
<cpe>cpe:/a:sketch:sketch</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per #1961. parqueet is not hadoop.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.parquet/parquet\-hadoop@.*$</packageUrl>
<cpe>cpe:/a:apache:hadoop</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Jetbrains annotations is not the IDE
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.intellij/annotations@.*$</packageUrl>
<cpe>cpe:/a:jetbrains:intellij_idea</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
drop wizard false positives. Updated per issue #796.
]]></notes>
<gav regex="true">org\.eclipse\.jetty\.toolchain\.setuid:jetty-setuid-java:.*</gav>
<cpe>cpe:/a:jetty:jetty</cpe>
<cpe>cpe:/a:eclipse:jetty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
drop wizard false positives
]]></notes>
<gav regex="true">org\.eclipse\.jetty\.http2:http2-hpack:.*</gav>
<cpe>cpe:/a:jetty:jetty</cpe>
<cpe>cpe:/a:eclipse:jetty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP on osgi bundle - the embedded jetty server is flagged instead of the bundle itself.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.ops4j\.pax\.web/pax\-web\-jetty\-bundle@.*$</packageUrl>
<cpe>cpe:/a:jetty:jetty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1659
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.ops4j\.pax\..*$</packageUrl>
<cpe>cpe:/a:pax_project:pax</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1657
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.drizzle\.jdbc/drizzle\-jdbc@.*$</packageUrl>
<cpe>cpe:/a:mysql:mysql</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1657
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.kerby/mysql\-backend@.*$</packageUrl>
<cpe>cpe:/a:mysql:mysql</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1657
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.alibaba/druid@.*$</packageUrl>
<cpe>cpe:/a:alibaba:alibaba</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
drop wizard false positives
]]></notes>
<gav regex="true">io\.dropwizard\.metrics:metrics-httpclient:.*</gav>
<cpe>cpe:/a:apache:httpclient</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue https://github.com/jeremylong/dependency-check-gradle/issues/61
]]></notes>
<gav regex="true">^org\.eclipse\.jetty\.toolchain:jetty-schemas:.*$</gav>
<cpe>cpe:/a:mortbay_jetty:jetty</cpe>
<cpe>cpe:/a:mortbay:jetty</cpe>
<cpe>cpe:/a:jetty:jetty</cpe>
<cpe>cpe:/a:eclipse:jetty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
javax.transaction and javax.annotation (#1629) false positives
]]></notes>
<gav regex="true">javax\.(annotation|transaction):javax\.(annotation|transaction)-api:.*</gav>
<cpe>cpe:/a:oracle:glassfish</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positives per #1630
]]></notes>
<gav regex="true">^org\.apache\.directory\.api:api-ldap.*$</gav>
<cpe>cpe:/a:apache:apache_http_server</cpe>
<cpe>cpe:/a:apache:directory_studio</cpe>
<cpe>cpe:/a:apache:ldap_studio</cpe>
<cpe>cpe:/a:net-ldap_project:net-ldap</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2029
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.opensaml/openws@.*$</packageUrl>
<cpe>cpe:/a:shibboleth:opensaml</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positives per #1631
]]></notes>
<gav regex="true">^org\.apache\.servicemix\.bundles:org\.apache\.servicemix\.bundles\.not-yet-commons-ssl:.*$</gav>
<cpe>cpe:/a:apache-ssl:apache-ssl</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positives per #1635
]]></notes>
<gav regex="true">^org\.apache\.cxf\.fediz:fediz-core:.*$</gav>
<cpe>cpe:/a:apache:cxf</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positive in drop wizard
]]></notes>
<filePath regex="true">.*(\.(jar|ear|war|pom)|pom\.xml)</filePath>
<cpe>cpe:/a:tiger:tiger</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
php cpe
]]></notes>
<filePath regex="true">.*(\.(dll|jar|ear|war|pom)|pom\.xml)</filePath>
<cpe>cpe:/a:class:class</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Linux ssh False Positives
]]></notes>
<filePath regex="true">.*(\.(jar|ear|war|pom)|pom\.xml)</filePath>
<cpe>cpe:/a:pam:pam</cpe>
<cpe>cpe:/a:pam_ssh:pam_ssh</cpe>
<cpe>cpe:/a:sun:linux</cpe>
<cpe>cpe:/a:sun:sunos</cpe>
<cpe>cpe:/a:oracle:linux</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
JRK False Positives
]]></notes>
<filePath regex="true">.*(\.(jar|ear|war|pom)|pom\.xml)</filePath>
<cpe>cpe:/a:sun:java</cpe>
<cpe>cpe:/a:sun:jdk</cpe>
<cpe>cpe:/a:sun:j2se</cpe>
<cpe>cpe:/a:sun:j_se</cpe>
<cpe>cpe:/a:sun:j_se</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
fontbox is a sub project of pdfbox. CPE vulns don't apply.
]]></notes>
<gav regex="true">^org\.apache\.pdfbox:fontbox:.*$</gav>
<cpe>cpe:/a:apache:pdfbox</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
https://tukaani.org/xz/java.html
]]></notes>
<gav regex="true">^org\.tukaani:xz:.*$</gav>
<cve>CVE-2015-4035</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
https://github.com/processing/processing is not javax
]]></notes>
<gav regex="true">^(javax\.json|org\.glassfish):javax\.json(-api)?:.*$</gav>
<cpe>cpe:/a:processing:processing</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
https://github.com/processing/processing is not related to glassfish
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.glassfish.*$</packageUrl>
<cpe>cpe:/a:processing:processing</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2908
]]></notes>
<packageUrl regex="true">^pkg:maven/jakarta\.json/jakarta\.json\-api@.*$</packageUrl>
<cpe>cpe:/a:processing:processing</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
https://github.com/ojai/ojai is not mapr
]]></notes>
<gav regex="true">^org\.ojai:ojai:.*$</gav>
<cpe>cpe:/a:mapr:mapr</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
dependency-track is not track+
]]></notes>
<gav regex="true">^org\.jenkins-ci\.plugins:dependency-track:.*$</gav>
<cpe>cpe:/a:track%2b:track%2b</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Jenkins plugins are should not be flagged as Jenkins.
]]></notes>
<gav regex="true">^org\.jenkins-ci\.plugins:.*$</gav>
<cpe>cpe:/a:jenkins:jenkins</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Maven plugin for developing Jenkins plugins.
]]></notes>
<gav regex="true">^org\.jenkins-ci\.tools:maven-hpi-plugin:.*$</gav>
<cpe>cpe:/a:jenkins:jenkins</cpe>
<cpe>cpe:/a:jenkins:maven</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP on dependency-check-gradle
]]></notes>
<gav regex="true">^org\.owasp:dependency-check-gradle:.*$</gav>
<cpe>cpe:/a:gradle:gradle</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2178 - the gradle api is versioned differently than gradle itself. This causes FP.
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.android\.tools\.build/gradle\-api@.*$</packageUrl>
<cpe>cpe:/a:gradle:gradle</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive: see https://github.com/jeremylong/DependencyCheck/issues/1949
]]></notes>
<gav regex="true">^io\.springfox:springfox-.+:.*$</gav>
<cpe>cpe:/a:gradle:gradle</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
see https://github.com/jeremylong/DependencyCheck/issues/1927
]]></notes>
<gav regex="true">^io\.micrometer:micrometer-registry-prometheus:.*$</gav>
<cve>CVE-2019-3826</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1755
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.micrometer/micrometer\-spring\-legacy@.*$</packageUrl>
<cpe>cpe:/a:pivotal_software:spring_framework</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1755
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.squareup\.retrofit2?/(?!retrofit).*$</packageUrl>
<cpe>cpe:/a:squareup:retrofit</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
see https://github.com/jeremylong/DependencyCheck/issues/1927
]]></notes>
<gav regex="true">^io\.prometheus:simpleclient_common:.*$</gav>
<cve>CVE-2019-3826</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
see https://github.com/jeremylong/DependencyCheck/issues/1927
]]></notes>
<gav regex="true">^io\.prometheus:simpleclient:.*$</gav>
<cve>CVE-2019-3826</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
remove FP on Jenkins.
]]></notes>
<gav regex="true">^(?!org\.jenkins-ci\.main:jenkins-war).*$</gav>
<cpe>cpe:/a:jenkins:jenkins</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
filter out non-glassfish core
]]></notes>
<gav regex="true">^(?!org\.glassfish\.main\.core:glassfish).*$</gav>
<cpe>cpe:/a:oracle:glassfish</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Grizzly is not Async Http Client
]]></notes>
<gav regex="true">^org\.glassfish\.grizzly:grizzly-http-client:.*$</gav>
<cpe>cpe:/a:async-http-client_project:async-http-client</cpe>
<cpe>cpe:/a:asynchttpclient_project:async-http-client</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
don't flag scala modules as scala
]]></notes>
<gav regex="true">^org\.scala-lang\.modules:.*$</gav>
<cpe>cpe:/a:scala-lang:scala</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
don't flag maven plugin components as the jenkins maven plugin itself
]]></notes>
<gav regex="true">^(?!org\.jenkins-ci\.main:maven-plugin):.*$</gav>
<cpe>cpe:/a:jenkins:maven</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
don't flag jruby extensions as jruby
]]></notes>
<gav regex="true">^org\.jruby\.ext.*$</gav>
<cpe>cpe:/a:jruby:jruby</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
elastic search false postivies
]]></notes>
<gav regex="true">org\.elasticsearch:securesm:.*</gav>
<cpe>cpe:/a:elasticsearch:elasticsearch</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
wink-json false positive
]]></notes>
<gav regex="true">^org\.apache\.wink:wink-json4j:.*$</gav>
<cpe>cpe:/a:wink:wink</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Glassfish false positives. Added jws per #1640
]]></notes>
<gav regex="true">^javax\.(jws|servlet):javax\.(jws|servlet)-api:.*$</gav>
<cpe>cpe:/a:oracle:glassfish</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Glassfish false positives.
]]></notes>
<gav regex="true">org\.glassfish:javax.el:.*</gav>
<cpe>cpe:/a:oracle:glassfish</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5086
suppressing the Apache Pluto library that is referenced as a parent dependency
]]></notes>
<packageUrl regex="true">^pkg:maven/javax\.portlet/portlet\-api@.*$</packageUrl>
<cpe>cpe:/a:apache:pluto</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per #1641
]]></notes>
<gav regex="true">^org\.pac4j:pac4j-oidc:.*$</gav>
<cpe>cpe:/a:openid:openid</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Struts false positives.
]]></notes>
<gav regex="true">sslext:sslext:.*</gav>
<cpe>cpe:/a:apache:struts</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
ActiveMQ false positives.
]]></notes>
<gav regex="true">org\.apache\.activemq:activemq(-jms)?-pool.*</gav>
<cpe>cpe:/a:apache:activemq</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1681
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.activemq/activemq-(openwire-legacy|spring)@.*$</packageUrl>
<cpe>cpe:/a:apache:activemq</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1681
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.activemq/activemq\-client@.*$</packageUrl>
<cve>CVE-2015-5182</cve>
<cve>CVE-2015-5183</cve>
<cve>CVE-2015-5184</cve>
<cve>CVE-2019-0222</cve>
<cve>CVE-2020-13920</cve>
<cve>CVE-2020-1941</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2483
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.activemq/activemq\-all@.*$</packageUrl>
<cve>CVE-2015-5182</cve>
<cve>CVE-2015-5183</cve>
<cve>CVE-2015-5184</cve>
<cve>CVE-2019-0222</cve>
<cve>CVE-2020-13920</cve>
<cve>CVE-2020-1941</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2483
]]></notes>
<filePath regex="true">.*activemq-all-5.15.11.jar/META-INF/maven.*/pom.xml</filePath>
<cve>CVE-2015-5182</cve>
<cve>CVE-2015-5183</cve>
<cve>CVE-2015-5184</cve>
<cve>CVE-2019-0222</cve>
<cve>CVE-2020-13920</cve>
<cve>CVE-2020-1941</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
ActiveMQ false positives.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.activemq\.protobuf/activemq\-protobuf@.*$</packageUrl>
<cpe>cpe:/a:apache:activemq</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2210
]]></notes>
<packageUrl regex="true">.*(?!gradle).*</packageUrl>
<cpe>cpe:/a:gradle:gradle</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #3829 the eclipse Microprofile config file provider project is not the Jenkins config file provider plugin
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.eclipse\.microprofile\.config/.*@.*$</packageUrl>
<cpe>cpe:/a:config_file_provider_project:config_file_provider</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: keycloak-dropwizard-1.1.1.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/de\.ahus1\.keycloak\.dropwizard/keycloak\-dropwizard@.*$</packageUrl>
<cpe>cpe:/a:keycloak:keycloak</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: keycloak-jetty-core-4.8.3.Final.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.keycloak/keycloak\-jetty\-core@.*$</packageUrl>
<cpe>cpe:/a:jetty:jetty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Drupal services false positive.
Pyro is a python project.
]]></notes>
<filePath regex="true">.*(\.(jar|ear|war|pom)|pom\.xml)</filePath>
<cpe>cpe:/a:services_project:services</cpe>
<cpe>cpe:/a:pyro_project:pyro</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
jenkins-client false positives
]]></notes>
<gav regex="true">com\.offbytwo\.jenkins:jenkins-client:.*</gav>
<cpe>cpe:/a:jenkins:jenkins</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
xstream false positives
]]></notes>
<gav regex="true">^(?!com.thoughtworks).*xstream.*$</gav>
<cpe>cpe:/a:x-stream:xstream</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positive per issue #582
]]></notes>
<gav regex="true">^org\.glassfish\.jersey\.ext:jersey-proxy-client:.*$</gav>
<cpe>cpe:/a:oracle:oracle_client</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positive per issue #777
]]></notes>
<gav regex="true">^org\.glassfish\.jersey\.ext:jersey-metainf-services:.*$</gav>
<cpe>cpe:/a:services_project:services:</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: smiley-http-proxy-servlet-1.7.jar
]]></notes>
<gav regex="true">^org\.mitre\.dsmiley\.httpproxy:smiley-http-proxy-servlet:.*$</gav>
<cpe>cpe:/a:shttp:shttp</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
This CVE is disputed by the vendor and is not considered an issue.
]]></notes>
<filePath regex="true">.*</filePath>
<cve>CVE-2007-6059</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
These CVEs only affect jackson-dataformat-xml. See issue #517, #751, and #792.
]]></notes>
<gav regex="true">(org\.codehaus\.jackson|com\.fasterxml\.jackson\.(core|module|datatype|jaxrs)):jackson.*</gav>
<cve>CVE-2016-3720</cve>
<cve>CVE-2016-7051</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1344
]]></notes>
<gav regex="true">^com\.github\.docker-java:docker-java:.*$</gav>
<cve>CVE-2017-7297</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
jackson-dataformat-avro/cbor/ion/protobuf/smile are cpe:/a:fasterxml:jackson-dataformat-binary
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.dataformat/jackson\-dataformat\-(ion|cbor|avro|protobuf|smile)@.*$</packageUrl>
<cpe>cpe:/a:fasterxml:jackson-dataformat-xml</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
These only apply to the jackson-dataformat-cbor sub-module
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.dataformat/jackson\-dataformat(?!\-cbor).*@.*$</packageUrl>
<cve>CVE-2020-28491</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
These CVE only affects jackson-dataformat-xml. See issue #517.
]]></notes>
<gav regex="true">com\.fasterxml\.jackson\.dataformat:jackson(?!\-dataformat\-xml).*</gav>
<cve>CVE-2016-3720</cve>
<cve>CVE-2016-7051</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positives per issue #2873
]]></notes>
<packageUrl regex="true">^pkg:npm/faye\-websocket@.*$</packageUrl>
<cpe>cpe:/a:faye_project:faye</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Node.js false positives per issues #512 and #510
]]></notes>
<filePath regex="true">.*package\.json$</filePath>
<cpe>cpe:/a:file_project:file</cpe>
<cpe>cpe:/a:file:file</cpe>
<cpe>cpe:/a:shim:shim</cpe>
<cpe>cpe:/a:shim_project:shim</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positives on python.
]]></notes>
<filePath regex="true">.*__init__\.py$</filePath>
<cpe>cpe:/a:shim:shim</cpe>
<cpe>cpe:/a:python:python</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positives per #1314.
]]></notes>
<filePath regex="true">.*PKG-INFO$</filePath>
<cpe>cpe:/a:nodejs:nodejs</cpe>
<cpe>cpe:/a:nodejs:node.js</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
checkpoint firewall is not at the application layer.
]]></notes>
<filePath regex="true">.*</filePath>
<cpe>cpe:/a:checkpoint:check_point</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Bouncy Castle Time Stamp Protocol is not related to openpgp.
]]></notes>
<gav regex="true">^org\.bouncycastle:bctsp.*$</gav>
<cpe>cpe:/a:openpgp:openpgp</cpe>
<cpe>cpe:/a:pgp:openpgp</cpe>
<cpe>cpe:/a:pgp:pgp</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Apache XML Graphics is used by Batik - but should not be identified as batik.
]]></notes>
<gav regex="true">^org\.apache\.xmlgraphics:xmlgraphics-commons:.*$</gav>
<cpe>cpe:/a:apache:batik</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive suppression per issue #664 for JJWT - A Java and Android JSON Web Token library
]]></notes>
<gav regex="true">^io\.jsonwebtoken:jjwt:.*$</gav>
<cpe>cpe:/a:sonatype:nexus</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2151
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.vertx/vertx\-auth\-common@.*$</packageUrl>
<cpe>cpe:/a:sonatype:nexus</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive suppresion per issue #679 - jcore is a php wbe cms.
]]></notes>
<gav regex="true">^org\.apache\.james:apache-mime4j-core:.*$</gav>
<cpe>cpe:/a:jcore:jcore</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive
]]></notes>
<gav regex="true">^javax\.servlet:servlet-api:.*$</gav>
<cpe>cpe:/a:sun:one_application_server</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positives per issue #684.
]]></notes>
<gav regex="true">^org\.apache\.tomcat\.embed:tomcat-embed.*$</gav>
<cve>CVE-2017-6056</cve>
<cve>CVE-2016-6325</cve>
<cve>CVE-2016-5425</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per issue #699
]]></notes>
<gav regex="true">^com\.splunk:splunk:.*$</gav>
<cpe>cpe:/a:splunk:splunk</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per issue #713
]]></notes>
<gav regex="true">^org\.openid4java:openid4java:.*$</gav>
<cpe>cpe:/a:openid:openid</cpe>
<cpe>cpe:/a:openid:openid4java</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False Positive per issue #746
]]></notes>
<gav regex="true">^com\.artofsolving:jodconverter:.*$</gav>
<cpe>cpe:/a:openoffice:openoffice.org</cpe>
<cpe>cpe:/a:openoffice:openoffice</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False Positive per issue #743
]]></notes>
<gav regex="true">^org\.xerial:sqlite-jdbc:.*$</gav>
<cve>CVE-2015-3717</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
newrelic-agent false positives due to the instrumentation package (see issue #781)
]]></notes>
<filePath regex="true">.*newrelic-?agent.*\.jar[\\\/]instrumentation.*\.jar</filePath>
<cpe regex="true">.*</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False Positices per issue #823
]]></notes>
<gav regex="true">^io\.swagger:.*$</gav>
<cpe>cpe:/a:sonatype:nexus</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per issue #851 and #1073 and #4414;
the CVEs listed are in the C++ part of the ICU project (and are currently all CVEs listed
against ICU project; nevertheless we should not suppress the CPE itself to avoid false negatives
when the CVE is in the icu4j (cpe:2.3:a:icu-project:international_components_for_unicode:*:*:*:*:*:java:*:*
/ cpe:2.3:a:unicode:international_components_for_unicode:*:*:*:*:*:java:*:*) CPE
cpe cpe:/a:unicode:unicode is the unicode specification
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.ibm\.icu/icu4j@.*$</packageUrl>
<cve>CVE-2020-21913</cve>
<cve>CVE-2014-9654</cve>
<cve>CVE-2014-9911</cve>
<cve>CVE-2016-6293</cve>
<cve>CVE-2016-7415</cve>
<cve>CVE-2017-14952</cve>
<cve>CVE-2017-17484</cve>
<cve>CVE-2015-5922</cve>
<cve>CVE-2007-4771</cve>
<cve>CVE-2020-10531</cve>
<cve>CVE-2011-4599</cve>
<cve>CVE-2014-7923</cve>
<cve>CVE-2014-7926</cve>
<cve>CVE-2014-7940</cve>
<cve>CVE-2014-8146</cve>
<cve>CVE-2014-8147</cve>
<cve>CVE-2017-7867</cve>
<cve>CVE-2017-7868</cve>
<cve>CVE-2007-4770</cve>
<cve>CVE-2017-15396</cve>
<cve>CVE-2017-15422</cve>
<cpe>cpe:/a:apple:java</cpe>
<cpe>cpe:/a:unicode:unicode:</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per issue #854
]]></notes>
<gav regex="true">^com\.vaadin\.external\.google:android-json:.*$</gav>
<cpe>cpe:/a:google:android</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
json library is not glassfish server.
]]></notes>
<gav regex="true">^org\.glassfish:javax\.json:.*$</gav>
<cpe>cpe:/a:oracle:glassfish</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: activerecord-oracle_enhanced-adapter-1.1.7.gemspec
]]></notes>
<filePath regex="true">.*activerecord.*oracle.*\.gemspec</filePath>
<cpe>cpe:/a:ruby-i18n:i18n</cpe>
<cpe>cpe:/a:mikel_lindsaar:mail</cpe>
<cpe>cpe:/a:rest-client_project:rest-client</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positives per issue #915
]]></notes>
<gav regex="true">^net\.thisptr:jackson-jq:.*$</gav>
<cpe>cpe:/a:jq_project:jq</cpe>
<cpe>cpe:/a:id:id-software</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positives per issue #915
]]></notes>
<gav regex="true">^org\.jruby\.jcodings:jcodings:.*$</gav>
<cpe>cpe:/a:jruby:jruby</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positives per issue #915
]]></notes>
<gav regex="true">^org\.jruby\.joni:joni:.*$</gav>
<cpe>cpe:/a:jruby:jruby</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positives per issue #915 and #3268
xjc-utils is a sub-project of cxf and would get its own CPE assigned just like CXF Fediz subproject for e.g. CVE-2018-8038
]]></notes>
<gav regex="true">^org\.apache\.cxf\.xjc-utils:.*:.*$</gav>
<cpe>cpe:/a:apache:cxf</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positives per issue #3820
xjc-utils is a sub-project of cxf and would get its own CPE assigned just like CXF Fediz subproject for e.g. CVE-2018-8038
besides the org.apache.xjc-utils groupId also the org.apache.cxf.xjcplugins groupId is part of this repository
]]></notes>
<gav regex="true">^org\.apache\.cxf\.xjcplugins:.*:.*$</gav>
<cpe>cpe:/a:apache:cxf</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positives per issue #915
]]></notes>
<gav regex="true">^javax\.validation:validation-api:.*$</gav>
<cpe>cpe:/a:bean_project:bean</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positive per issue #914
]]></notes>
<gav regex="true">^org\.apache\.struts\.xwork:xwork-core:.*$</gav>
<cpe>cpe:/a:apache:struts</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1398
]]></notes>
<gav regex="true">^net\.lingala\.zip4j:zip4j:.*$</gav>
<cpe>cpe:/a:zip_project:zip</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1398
]]></notes>
<gav regex="true">^net\.java\.truevfs:truevfs-comp-zip:.*$</gav>
<cpe>cpe:/a:zip_project:zip</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1398
]]></notes>
<gav regex="true">^net\.java\.truevfs:truevfs-driver-zip:.*$</gav>
<cpe>cpe:/a:zip_project:zip</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1424
]]></notes>
<gav regex="true">^stax:stax-api:.*$</gav>
<cpe>cpe:/a:st_project:st</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positive per issue #894
]]></notes>
<gav regex="true">^org\.apache\.pdfbox:fontbox:.*$</gav>
<cpe>cpe:/a:font_project:font</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positive per issue #1093
]]></notes>
<gav regex="true">^com\.itextpdf:font-asian:.*$</gav>
<cpe>cpe:/a:font_project:font</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positive per issue #859
]]></notes>
<gav regex="true">^org\.kohsuke:github-api:.*$</gav>
<cpe>cpe:/a:hub_project:hub</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: hystrix-rx-netty-metrics-stream-1.5.12.jar
]]></notes>
<gav regex="true">^com\.netflix\.hystrix:hystrix-rx-netty-metrics-stream:.*$</gav>
<cpe regex="true">^cpe:/a:netty(_project)?:netty.*$</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per issue #1068
]]></notes>
<gav regex="true">^org\.asynchttpclient:netty-codec-dns:.*$</gav>
<cpe>cpe:/a:dns-sync_project:dns-sync</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per issue #1068
]]></notes>
<gav regex="true">^org\.asynchttpclient:async-http-client-netty-utils:.*$</gav>
<cpe>cpe:/a:async-http-client_project:async-http-client</cpe>
<cpe>cpe:/a:asynchttpclient_project:async-http-client</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per issue #1068
]]></notes>
<gav regex="true">^org\.asynchttpclient:netty-resolver-dns:.*$</gav>
<cpe>cpe:/a:dns-sync_project:dns-sync</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per issue #1068, #4279
]]></notes>
<packageUrl regex="true">^pkg:maven/(?!(io\.netty|org\.jboss\.netty)).*/.*netty.*$</packageUrl>
<cpe regex="true">^cpe:/a:netty(_project)?:netty.*$</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: cassandra-thrift-1.2.11.jar
]]></notes>
<gav regex="true">^org\.apache\.cassandra:cassandra-thrift:.*$</gav>
<cpe>cpe:/a:apache:thrift</cpe>
<cpe>cpe:/a:apache:cassandra</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: xbean-bundleutils-3.11.1.jar
]]></notes>
<gav regex="true">^org\.apache\.xbean:xbean-bundleutils:.*$</gav>
<cpe>cpe:/a:apache:geronimo</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: xbean-finder-3.11.1.jar
]]></notes>
<gav regex="true">^org\.apache\.xbean:xbean-finder:.*$</gav>
<cpe>cpe:/a:finder_project:finder</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: annotation-indexer-1.4.jar
]]></notes>
<gav regex="true">^org\.jenkins-ci:annotation-indexer:.*$</gav>
<cpe>cpe:/a:jenkins:jenkins</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positive per issue #871
]]></notes>
<gav regex="true">^org\.sonatype\..*$</gav>
<cpe>cpe:/a:spice_project:spice</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: avro-1.4.0-cassandra-1.jar
]]></notes>
<gav regex="true">^org\.apache\.cassandra\.deps:avro:.*$</gav>
<cpe>cpe:/a:apache:cassandra</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: hystrix-request-servlet-1.5.12.jar
]]></notes>
<gav regex="true">^com\.netflix\.hystrix:hystrix-request-servlet:.*$</gav>
<cpe>cpe:/a:request_it:request_it</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: jersey-core-1.11.jar
]]></notes>
<gav regex="true">^com\.sun\.jersey:jersey-core:.*$</gav>
<cpe>cpe:/a:restful_web_services_project:restful_web_services</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: unboundid-ldapsdk-2.3.8.jar
]]></notes>
<gav regex="true">^com\.unboundid:unboundid-ldapsdk:.*$</gav>
<cpe>cpe:/a:id:id-software</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
jaxb-xerces and jaxb-xerces2 are completely different dependencies.
]]></notes>
<gav regex="true">^activesoap:jaxb-xercesImpl:[01].*$</gav>
<cpe>cpe:/a:apache:xerces2_java</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
jaxb-xerces and jaxb-xerces2 are completely different dependencies - the sha1
is primarily for testing.
]]></notes>
<sha1>73a51faadb407dccdbd77234e0d5a0a648665692</sha1>
<cpe>cpe:/a:apache:xerces2_java</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2186
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.lightbend\.akka/akka\-stream\-alpakka\-xml_2\.12@.*$</packageUrl>
<cpe>cpe:/a:akka:akka</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2191 #5925
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.vaadin\.(addon|external|flow\.ai).*$</packageUrl>
<cpe>cpe:/a:vaadin:vaadin</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #6016
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.vaadin\.flow\.ai.*$</packageUrl>
<cpe>cpe:/a:vaadin:flow</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #5155 #5153 #4180 #4188 #4189 #4190 #2651 #2191
]]></notes>
<packageUrl regex="true">^(?!pkg:maven/com\.vaadin/vaadin(-core)?@).*$</packageUrl>
<cpe>cpe:/a:vaadin:vaadin</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #5414
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.vaadin/sso-kit-starter@.*$</packageUrl>
<cpe>cpe:/a:vaadin:flow</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2191
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.webjars\.(bower|bowergithub|npm).*$</packageUrl>
<cpe>cpe:/a:vaadin:vaadin</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2186
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.lightbend\.akka/akka\-stream\-alpakka\-xml_2\.12@.*$</packageUrl>
<cpe>cpe:/a:lightbend:akka</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per issue #965
]]></notes>
<gav regex="true">^com\.typesafe\.play:play-akka-http-server_2\.\d+:.*$</gav>
<cpe>cpe:/a:akka:akka</cpe>
<cpe>cpe:/a:akka:http_server</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP on sttp for http-client
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.softwaremill\.sttp.*$</packageUrl>
<cpe>cpe:/a:async-http-client_project:async-http-client</cpe>
<cpe>cpe:/a:asynchttpclient_project:async-http-client</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per issue #1275
]]></notes>
<gav regex="true">^com\.typesafe\.akka:akka-stream-kafka_2\.12:.*$</gav>
<cpe>cpe:/a:akka:akka</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per issue #1275
]]></notes>
<gav regex="true">^com\.lightbend\.akka:akka-stream-alpakka-jms_2\.12:.*$</gav>
<cpe>cpe:/a:akka:akka</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per issue #1180
]]></notes>
<gav regex="true">^com\.typesafe\.akka:akka-persistence-cassandra:.*$</gav>
<cpe>cpe:/a:akka:akka</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Fp per #2995
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.opencensus/opencensus\-contrib\-grpc\-util@.*$</packageUrl>
<cpe>cpe:/a:grpc:grpc</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per issue #1259 and #2991
]]></notes>
<gav regex="true">^com\.google\.api\.grpc:proto-.*$</gav>
<cpe>cpe:/a:grpc:grpc</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #942
]]></notes>
<gav regex="true">^org\.apache\.chemistry\.opencmis:chemistry-opencmis.*$</gav>
<cpe>cpe:/a:apache:apache_http_server</cpe>
<cpe>cpe:/a:apache:http_server</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #1654
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.directory\.server/apacheds.*$</packageUrl>
<cpe>cpe:/a:apache:http_server</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #942
]]></notes>
<gav regex="true">^org\.alfresco\.cmis\.client:alfresco-opencmis-extension:.*$</gav>
<cpe>cpe:/a:alfresco:alfresco</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #944 - just suppressing the single CVE instead of the entire match
as a future CVE could be meaningful to this library.
]]></notes>
<gav regex="true">^com\.evernote:evernote-api:.*$</gav>
<cve>CVE-2016-4900</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #951
]]></notes>
<gav regex="true">^org\.apache\.portals\.pluto:pluto-portal-driver:.*$</gav>
<cpe>cpe:/a:in-portal:in-portal</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP on ldap studio
]]></notes>
<gav regex="true">^org\.apache\.directory\.api:api-ldap.*$</gav>
<cpe>cpe:/a:apache:apache_ldap_studio</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #1003
]]></notes>
<gav regex="true">^org\.mapstruct:mapstruct:.*$</gav>
<cpe>cpe:/a:bean_project:bean</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #1004 - ldap.java is not in the JAR.
]]></notes>
<gav regex="true">^org\.codehaus\.groovy:groovy:.*$</gav>
<cve>CVE-2016-6497</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #1010 - ldap.java is not in the JAR.
]]></notes>
<gav regex="true">^org\.codehaus\.groovy:groovy-all:.*$</gav>
<cve>CVE-2016-6497</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #987
]]></notes>
<gav regex="true">^org\.apache\.tomcat:tomcat-annotations-api:.*$</gav>
<cpe>cpe:/a:apache:tomcat</cpe>
<cpe>cpe:/a:apache_tomcat:apache_tomcat</cpe>
<cpe>cpe:/a:apache_software_foundation:tomcat</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
general FP cleanup
]]></notes>
<filePath regex="true">.*winstone-?(\d*\.?){0,3}\.jar</filePath>
<cpe>cpe:/a:jetty:jetty</cpe>
<cpe>cpe:/a:eclipse:jetty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
general FP cleanup
]]></notes>
<gav regex="true">^org\.apache\.maven\.wagon:wagon-webdav-jackrabbit:.*$</gav>
<cpe>cpe:/a:apache:jackrabbit</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
general FP cleanup
]]></notes>
<gav regex="true">^org\.apache\.xbean:xbean-reflect:.*$</gav>
<cpe>cpe:/a:apache:geronimo</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1652
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.aries\.transaction/org\.apache\.aries\.transaction\.manager@.*$</packageUrl>
<cpe>cpe:/a:apache:geronimo</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
general FP cleanup
]]></notes>
<gav regex="true">^org\.eclipse\.jetty\.orbit:javax\.annotation:.*$</gav>
<cpe>cpe:/a:eclipse:jetty</cpe>
<cpe>cpe:/a:jetty:jetty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
general FP cleanup
]]></notes>
<gav regex="true">^org\.eclipse\.jetty\.websocket:websocket-api:.*$</gav>
<cpe>cpe:/a:eclipse:jetty</cpe>
<cpe>cpe:/a:jetty:jetty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
general FP cleanup: com.amazonaws is a drupal project
]]></notes>
<gav regex="true">^com\.amazonaws:jmespath-java:.*$</gav>
<cpe>cpe:/a:amazon_aws_project:amazon_aws</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per #1642
]]></notes>
<gav regex="true">^org\.apache\.curator:curator-recipes:.*$</gav>
<cpe>cpe:/a:apache:zookeeper</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per #2912
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.linguafranca\.pwdb/database@.*$</packageUrl>
<cpe>cpe:/a:keepass:keepass</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per #2912
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.linguafranca\.pwdb/KeePass.*$</packageUrl>
<cpe>cpe:/a:keepass:keepass</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per #2907
]]></notes>
<packageUrl regex="true">^pkg:maven/javax\.enterprise/cdi\-api@.*$</packageUrl>
<cve>CVE-2014-8122</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2248, #4444
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.zookeeper/zookeeper.*@.*$</packageUrl>
<cpe>cpe:/a:apache:hadoop</cpe>
<cve>CVE-2021-21295</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2650
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.sonatype\.nexus\.plugins/nexus\-restore\-helm@.*$</packageUrl>
<cpe>cpe:/a:sonatype:nexus</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2256
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.vertx.*$</packageUrl>
<cpe>cpe:/a:sonatype:nexus</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
general FP cleanup: apache_test CPE is referencing Perl code.
]]></notes>
<gav regex="true">^org\.apache\.ant:ant-testutil:.*$</gav>
<cpe>cpe:/a:apache:apache_test</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
general FP cleanup: CPE is for git, not the git provider
]]></notes>
<gav regex="true">^org\.apache\.maven\.scm:maven-scm-provider-git-commons:.*$</gav>
<cpe>cpe:/a:git-scm:git</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
general FP cleanup
]]></notes>
<gav regex="true">^org\.eclipse\.jetty\.orbit:org\.apache\.taglibs\.standard\.glassfish:.*$</gav>
<cpe>cpe:/a:jetty:jetty</cpe>
<cpe>cpe:/a:eclipse:jetty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
general FP cleanup
]]></notes>
<gav regex="true">^org\.eclipse\.jetty\.orbit:com\.sun\.el:.*$</gav>
<cpe>cpe:/a:jetty:jetty</cpe>
<cpe>cpe:/a:eclipse:jetty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
general FP cleanup: client vs. server mismatch
]]></notes>
<gav regex="true">^org\.samba\.jcifs:jcifs:.*$</gav>
<cpe>cpe:/a:samba:samba</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
general FP cleanup
]]></notes>
<gav regex="true">^org\.codehaus\.plexus:plexus-utils:.*$</gav>
<cpe>cpe:/a:spice_project:spice</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP #1064
]]></notes>
<gav regex="true">^org\.projectlombok:lombok:.*$</gav>
<cpe>cpe:/a:spice_project:spice</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
webjars are not npm, #1179
]]></notes>
<gav regex="true">^org\.webjars\.npm:.*$</gav>
<cpe>cpe:/a:npm:npm</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
These affect core jackson-databind, not jackson-dataformat-xml. If a vulnerable
version of databind is brought in as a transitive dependency of dataformat it
will get flagged by itself. See issue #1150.
]]></notes>
<gav regex="true">^com\.fasterxml\.jackson\.dataformat:.*$</gav>
<cve>CVE-2018-7489</cve>
<cve>CVE-2018-5968</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #3041 and #4933
]]></notes>
<packageUrl regex="true">^pkg:maven/(mysql/mysql\-connector\-java|com\.mysql/mysql\-connector\-j)@.*$</packageUrl>
<cpe>cpe:/a:oracle:connector%2fj</cpe>
<cpe>cpe:/a:oracle:jdbc</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #952 - instead of suppressing the whole thing, we will just
suppress specific CVE that are for the server
Added additional CVE per #3509 and new connector co-ordinates per #4933
]]></notes>
<gav regex="true">^(mysql:mysql-connector-java|com\.mysql:mysql-connector-j|org\.drizzle\.jdbc:drizzle-jdbc):.*$</gav>
<cve>CVE-2017-15945</cve>
<cve>CVE-2018-3081</cve>
<cve>CVE-2018-3137</cve>
<cve>CVE-2018-3145</cve>
<cve>CVE-2018-3170</cve>
<cve>CVE-2018-3182</cve>
<cve>CVE-2018-3186</cve>
<cve>CVE-2018-3195</cve>
<cve>CVE-2018-3203</cve>
<cve>CVE-2018-3212</cve>
<cve>CVE-2018-3279</cve>
<cve>CVE-2018-3286</cve>
<cve>CVE-2018-3071</cve>
<cve>CVE-2018-2759</cve>
<cve>CVE-2017-3331</cve>
<cve>CVE-2017-3452</cve>
<cve>CVE-2007-6304</cve>
<cve>CVE-2016-5442</cve>
<cve>CVE-2014-6555</cve>
<cve>CVE-2015-4861</cve>
<cve>CVE-2013-3796</cve>
<cve>CVE-2012-0553</cve>
<cve>CVE-2016-0659</cve>
<cve>CVE-2002-1923</cve>
<cve>CVE-2012-0119</cve>
<cve>CVE-2015-0508</cve>
<cve>CVE-2016-8283</cve>
<cve>CVE-2017-3463</cve>
<cve>CVE-2016-6663</cve>
<cve>CVE-2013-5881</cve>
<cve>CVE-2015-2573</cve>
<cve>CVE-2016-5436</cve>
<cve>CVE-2002-1376</cve>
<cve>CVE-2015-0432</cve>
<cve>CVE-2005-2558</cve>
<cve>CVE-2017-3308</cve>
<cve>CVE-2014-0402</cve>
<cve>CVE-2015-0499</cve>
<cve>CVE-2009-0819</cve>
<cve>CVE-2012-1757</cve>
<cve>CVE-2010-3838</cve>
<cve>CVE-2006-4031</cve>
<cve>CVE-2012-3180</cve>
<cve>CVE-2015-3152</cve>
<cve>CVE-2014-0393</cve>
<cve>CVE-2012-3163</cve>
<cve>CVE-2016-0594</cve>
<cve>CVE-2014-2450</cve>
<cve>CVE-2014-0430</cve>
<cve>CVE-2017-3457</cve>
<cve>CVE-2015-2567</cve>
<cve>CVE-2017-3319</cve>
<cve>CVE-2015-4866</cve>
<cve>CVE-2010-1621</cve>
<cve>CVE-2015-0409</cve>
<cve>CVE-2016-8288</cve>
<cve>CVE-2014-6484</cve>
<cve>CVE-2017-3243</cve>
<cve>CVE-2016-5633</cve>
<cve>CVE-2017-3468</cve>
<cve>CVE-2012-2122</cve>
<cve>CVE-2014-2444</cve>
<cve>CVE-2016-0642</cve>
<cve>CVE-2012-0882</cve>
<cve>CVE-2012-0102</cve>
<cve>CVE-2012-5614</cve>
<cve>CVE-2013-1567</cve>
<cve>CVE-2016-0504</cve>
<cve>CVE-2017-3643</cve>
<cve>CVE-2010-2008</cve>
<cve>CVE-2016-0608</cve>
<cve>CVE-2015-4756</cve>
<cve>CVE-2017-10284</cve>
<cve>CVE-2014-6495</cve>
<cve>CVE-2013-5793</cve>
<cve>CVE-2014-4233</cve>
<cve>CVE-2010-3680</cve>
<cve>CVE-2012-0493</cve>
<cve>CVE-2001-1275</cve>
<cve>CVE-2013-0385</cve>
<cve>CVE-2016-0599</cve>
<cve>CVE-2016-5627</cve>
<cve>CVE-2012-0113</cve>
<cve>CVE-2013-0368</cve>
<cve>CVE-2014-2438</cve>
<cve>CVE-2013-1511</cve>
<cve>CVE-2014-6478</cve>
<cve>CVE-2017-3637</cve>
<cve>CVE-2004-0837</cve>
<cve>CVE-2016-0653</cve>
<cve>CVE-2010-1626</cve>
<cve>CVE-2013-3810</cve>
<cve>CVE-2015-2643</cve>
<cve>CVE-2015-4767</cve>
<cve>CVE-2017-3265</cve>
<cve>CVE-2009-4019</cve>
<cve>CVE-2014-6489</cve>
<cve>CVE-2017-3302</cve>
<cve>CVE-2012-0087</cve>
<cve>CVE-2016-3477</cve>
<cve>CVE-2017-3648</cve>
<cve>CVE-2012-1697</cve>
<cve>CVE-2012-0487</cve>
<cve>CVE-2016-0647</cve>
<cve>CVE-2015-4815</cve>
<cve>CVE-2012-1734</cve>
<cve>CVE-2013-3804</cve>
<cve>CVE-2013-5807</cve>
<cve>CVE-2008-7247</cve>
<cve>CVE-2016-5441</cve>
<cve>CVE-2007-6303</cve>
<cve>CVE-2014-2494</cve>
<cve>CVE-2017-3313</cve>
<cve>CVE-2013-3795</cve>
<cve>CVE-2014-4238</cve>
<cve>CVE-2015-4826</cve>
<cve>CVE-2016-0658</cve>
<cve>CVE-2012-0118</cve>
<cve>CVE-2015-0507</cve>
<cve>CVE-2015-2648</cve>
<cve>CVE-2006-7232</cve>
<cve>CVE-2009-5026</cve>
<cve>CVE-2017-3462</cve>
<cve>CVE-2016-6662</cve>
<cve>CVE-2016-2047</cve>
<cve>CVE-2006-4227</cve>
<cve>CVE-2014-0001</cve>
<cve>CVE-2002-1375</cve>
<cve>CVE-2015-0498</cve>
<cve>CVE-2017-10365</cve>
<cve>CVE-2014-0401</cve>
<cve>CVE-2013-1544</cve>
<cve>CVE-2006-1518</cve>
<cve>CVE-2010-3679</cve>
<cve>CVE-2012-1756</cve>
<cve>CVE-2004-0628</cve>
<cve>CVE-2017-10227</cve>
<cve>CVE-2010-3837</cve>
<cve>CVE-2013-3809</cve>
<cve>CVE-2016-5584</cve>
<cve>CVE-2008-4456</cve>
<cve>CVE-2013-5891</cve>
<cve>CVE-2015-4761</cve>
<cve>CVE-2013-5770</cve>
<cve>CVE-2017-3456</cve>
<cve>CVE-2014-2432</cve>
<cve>CVE-2015-2566</cve>
<cve>CVE-2014-6559</cve>
<cve>CVE-2012-0574</cve>
<cve>CVE-2014-0412</cve>
<cve>CVE-2013-1555</cve>
<cve>CVE-2017-3318</cve>
<cve>CVE-2015-2620</cve>
<cve>CVE-2009-4030</cve>
<cve>CVE-2016-8287</cve>
<cve>CVE-2016-3471</cve>
<cve>CVE-2007-2693</cve>
<cve>CVE-2003-0150</cve>
<cve>CVE-2012-3173</cve>
<cve>CVE-2014-6520</cve>
<cve>CVE-2017-10283</cve>
<cve>CVE-2017-3467</cve>
<cve>CVE-2014-0386</cve>
<cve>CVE-2004-0388</cve>
<cve>CVE-2004-2149</cve>
<cve>CVE-2012-0101</cve>
<cve>CVE-2012-5613</cve>
<cve>CVE-2013-1566</cve>
<cve>CVE-2013-2376</cve>
<cve>CVE-2016-5632</cve>
<cve>CVE-2016-0503</cve>
<cve>CVE-2017-3329</cve>
<cve>CVE-2016-0607</cve>
<cve>CVE-2015-4913</cve>
<cve>CVE-2017-3642</cve>
<cve>CVE-2012-3156</cve>
<cve>CVE-2015-4772</cve>
<cve>CVE-2016-0641</cve>
<cve>CVE-2017-10320</cve>
<cve>CVE-2014-6494</cve>
<cve>CVE-2007-2583</cve>
<cve>CVE-2017-3653</cve>
<cve>CVE-2012-0492</cve>
<cve>CVE-2001-1274</cve>
<cve>CVE-2012-0075</cve>
<cve>CVE-2012-3167</cve>
<cve>CVE-2017-3636</cve>
<cve>CVE-2012-0112</cve>
<cve>CVE-2013-0367</cve>
<cve>CVE-2013-0384</cve>
<cve>CVE-2016-0652</cve>
<cve>CVE-2012-4414</cve>
<cve>CVE-2017-10294</cve>
<cve>CVE-2004-0957</cve>
<cve>CVE-2004-0836</cve>
<cve>CVE-2016-0598</cve>
<cve>CVE-2012-1705</cve>
<cve>CVE-2017-10314</cve>
<cve>CVE-2016-8318</cve>
<cve>CVE-2015-4766</cve>
<cve>CVE-2016-5626</cve>
<cve>CVE-2017-3599</cve>
<cve>CVE-2016-5609</cve>
<cve>CVE-2014-4260</cve>
<cve>CVE-2015-0501</cve>
<cve>CVE-2014-4243</cve>
<cve>CVE-2013-3783</cve>
<cve>CVE-2013-5786</cve>
<cve>CVE-2016-0663</cve>
<cve>CVE-2012-0540</cve>
<cve>CVE-2012-1696</cve>
<cve>CVE-2000-0045</cve>
<cve>CVE-2006-0369</cve>
<cve>CVE-2013-1521</cve>
<cve>CVE-2016-3459</cve>
<cve>CVE-2012-0486</cve>
<cve>CVE-2016-0646</cve>
<cve>CVE-2017-3647</cve>
<cve>CVE-2017-10167</cve>
<cve>CVE-2017-3450</cve>
<cve>CVE-2016-5440</cve>
<cve>CVE-2015-0382</cve>
<cve>CVE-2017-3312</cve>
<cve>CVE-2011-2262</cve>
<cve>CVE-2013-3794</cve>
<cve>CVE-2005-0004</cve>
<cve>CVE-2001-1454</cve>
<cve>CVE-2013-0389</cve>
<cve>CVE-2016-0657</cve>
<cve>CVE-2013-1532</cve>
<cve>CVE-2002-1921</cve>
<cve>CVE-2012-0117</cve>
<cve>CVE-2015-0506</cve>
<cve>CVE-2017-3258</cve>
<cve>CVE-2017-3461</cve>
<cve>CVE-2012-3150</cve>
<cve>CVE-2003-0073</cve>
<cve>CVE-2005-2573</cve>
<cve>CVE-2014-6564</cve>
<cve>CVE-2006-4226</cve>
<cve>CVE-2002-1374</cve>
<cve>CVE-2015-4870</cve>
<cve>CVE-2005-0711</cve>
<cve>CVE-2010-1850</cve>
<cve>CVE-2006-1517</cve>
<cve>CVE-2010-3678</cve>
<cve>CVE-2013-1526</cve>
<cve>CVE-2004-0627</cve>
<cve>CVE-2016-0705</cve>
<cve>CVE-2010-3836</cve>
<cve>CVE-2016-3518</cve>
<cve>CVE-2013-3808</cve>
<cve>CVE-2016-0601</cve>
<cve>CVE-2015-4836</cve>
<cve>CVE-2015-2571</cve>
<cve>CVE-2016-0668</cve>
<cve>CVE-2012-5060</cve>
<cve>CVE-2015-4819</cve>
<cve>CVE-2013-2381</cve>
<cve>CVE-2015-2582</cve>
<cve>CVE-2017-3455</cve>
<cve>CVE-2003-0780</cve>
<cve>CVE-2014-2431</cve>
<cve>CVE-2003-1331</cve>
<cve>CVE-2015-4864</cve>
<cve>CVE-2012-3144</cve>
<cve>CVE-2017-3317</cve>
<cve>CVE-2005-1636</cve>
<cve>CVE-2015-0441</cve>
<cve>CVE-2001-0407</cve>
<cve>CVE-2016-8286</cve>
<cve>CVE-2007-2692</cve>
<cve>CVE-2003-1480</cve>
<cve>CVE-2013-2392</cve>
<cve>CVE-2017-3641</cve>
<cve>CVE-2016-5631</cve>
<cve>CVE-2012-1690</cve>
<cve>CVE-2007-5646</cve>
<cve>CVE-2013-2375</cve>
<cve>CVE-2016-2105</cve>
<cve>CVE-2007-5925</cve>
<cve>CVE-2012-5612</cve>
<cve>CVE-2016-0502</cve>
<cve>CVE-2014-2442</cve>
<cve>CVE-2015-4858</cve>
<cve>CVE-2013-1548</cve>
<cve>CVE-2016-0606</cve>
<cve>CVE-2015-2576</cve>
<cve>CVE-2014-4287</cve>
<cve>CVE-2002-0969</cve>
<cve>CVE-2016-0640</cve>
<cve>CVE-2015-4737</cve>
<cve>CVE-2015-4771</cve>
<cve>CVE-2016-5439</cve>
<cve>CVE-1999-1188</cve>
<cve>CVE-2007-5970</cve>
<cve>CVE-2014-6530</cve>
<cve>CVE-2017-3652</cve>
<cve>CVE-2008-3963</cve>
<cve>CVE-2013-0383</cve>
<cve>CVE-2012-3166</cve>
<cve>CVE-2012-0491</cve>
<cve>CVE-2014-4214</cve>
<cve>CVE-2016-5625</cve>
<cve>CVE-2014-0433</cve>
<cve>CVE-2012-3149</cve>
<cve>CVE-2014-2436</cve>
<cve>CVE-2016-3501</cve>
<cve>CVE-2012-0578</cve>
<cve>CVE-2004-0956</cve>
<cve>CVE-2004-0835</cve>
<cve>CVE-2014-2419</cve>
<cve>CVE-2017-3635</cve>
<cve>CVE-2017-10155</cve>
<cve>CVE-2015-0500</cve>
<cve>CVE-2016-0651</cve>
<cve>CVE-2010-1849</cve>
<cve>CVE-2017-10313</cve>
<cve>CVE-2017-10276</cve>
<cve>CVE-2015-4802</cve>
<cve>CVE-2015-2641</cve>
<cve>CVE-2016-0597</cve>
<cve>CVE-2016-3492</cve>
<cve>CVE-2007-1420</cve>
<cve>CVE-2012-3177</cve>
<cve>CVE-2016-0662</cve>
<cve>CVE-2017-3646</cve>
<cve>CVE-2012-0485</cve>
<cve>CVE-2015-0511</cve>
<cve>CVE-2014-6507</cve>
<cve>CVE-2000-0148</cve>
<cve>CVE-2013-3802</cve>
<cve>CVE-2014-0427</cve>
<cve>CVE-2015-4830</cve>
<cve>CVE-2017-3291</cve>
<cve>CVE-2015-3194</cve>
<cve>CVE-2008-2079</cve>
<cve>CVE-2009-4028</cve>
<cve>CVE-2016-3486</cve>
<cve>CVE-2012-5383</cve>
<cve>CVE-2013-3793</cve>
<cve>CVE-2012-4452</cve>
<cve>CVE-2017-3257</cve>
<cve>CVE-2010-3683</cve>
<cve>CVE-2001-1453</cve>
<cve>CVE-2012-0496</cve>
<cve>CVE-2004-0457</cve>
<cve>CVE-2013-1531</cve>
<cve>CVE-2012-0116</cve>
<cve>CVE-2012-1689</cve>
<cve>CVE-2016-0639</cve>
<cve>CVE-2015-4807</cve>
<cve>CVE-2015-0505</cve>
<cve>CVE-2016-0656</cve>
<cve>CVE-2015-0381</cve>
<cve>CVE-2006-4380</cve>
<cve>CVE-2017-3460</cve>
<cve>CVE-2004-0381</cve>
<cve>CVE-2005-2572</cve>
<cve>CVE-2002-1373</cve>
<cve>CVE-2017-3305</cve>
<cve>CVE-2005-0710</cve>
<cve>CVE-2016-0667</cve>
<cve>CVE-2006-1516</cve>
<cve>CVE-2010-3677</cve>
<cve>CVE-2016-0546</cve>
<cve>CVE-2016-0600</cve>
<cve>CVE-2010-3835</cve>
<cve>CVE-2013-3807</cve>
<cve>CVE-2009-4484</cve>
<cve>CVE-2012-3160</cve>
<cve>CVE-2017-3454</cve>
<cve>CVE-2013-1570</cve>
<cve>CVE-2014-2430</cve>
<cve>CVE-2016-5444</cve>
<cve>CVE-2014-4258</cve>
<cve>CVE-2012-0572</cve>
<cve>CVE-2012-2750</cve>
<cve>CVE-2013-3798</cve>
<cve>CVE-2016-0611</cve>
<cve>CVE-2016-3424</cve>
<cve>CVE-2015-0423</cve>
<cve>CVE-2007-2691</cve>
<cve>CVE-2013-2391</cve>
<cve>CVE-2014-6464</cve>
<cve>CVE-2017-3465</cve>
<cve>CVE-2013-0371</cve>
<cve>CVE-2014-0384</cve>
<cve>CVE-2015-2575</cve>
<cve>CVE-2014-6568</cve>
<cve>CVE-2012-0583</cve>
<cve>CVE-2012-2102</cve>
<cve>CVE-2012-5611</cve>
<cve>CVE-2005-0799</cve>
<cve>CVE-2016-5630</cve>
<cve>CVE-2006-0903</cve>
<cve>CVE-2016-0605</cve>
<cve>CVE-2017-3640</cve>
<cve>CVE-2016-3452</cve>
<cve>CVE-2017-3251</cve>
<cve>CVE-2017-3651</cve>
<cve>CVE-2012-0490</cve>
<cve>CVE-2013-5894</cve>
<cve>CVE-2016-0596</cve>
<cve>CVE-2017-3634</cve>
<cve>CVE-2017-3459</cve>
<cve>CVE-2001-1255</cve>
<cve>CVE-2014-2435</cve>
<cve>CVE-2016-0650</cve>
<cve>CVE-2017-10379</cve>
<cve>CVE-2016-0616</cve>
<cve>CVE-2015-4905</cve>
<cve>CVE-2012-1703</cve>
<cve>CVE-2005-0709</cve>
<cve>CVE-2010-1848</cve>
<cve>CVE-2016-5624</cve>
<cve>CVE-2002-1809</cve>
<cve>CVE-2015-4792</cve>
<cve>CVE-2016-8327</cve>
<cve>CVE-2016-0661</cve>
<cve>CVE-2014-6469</cve>
<cve>CVE-2012-0484</cve>
<cve>CVE-2017-10286</cve>
<cve>CVE-2016-5635</cve>
<cve>CVE-2000-0981</cve>
<cve>CVE-2014-4207</cve>
<cve>CVE-2013-3801</cve>
<cve>CVE-2013-1502</cve>
<cve>CVE-2015-0439</cve>
<cve>CVE-2013-5767</cve>
<cve>CVE-2016-3615</cve>
<cve>CVE-2012-2749</cve>
<cve>CVE-2013-5908</cve>
<cve>CVE-2016-0644</cve>
<cve>CVE-2015-2617</cve>
<cve>CVE-2017-3645</cve>
<cve>CVE-2017-10165</cve>
<cve>CVE-2015-4879</cve>
<cve>CVE-2008-4098</cve>
<cve>CVE-2017-3273</cve>
<cve>CVE-2014-6551</cve>
<cve>CVE-2017-3256</cve>
<cve>CVE-2010-3682</cve>
<cve>CVE-2012-0495</cve>
<cve>CVE-2016-0655</cve>
<cve>CVE-2010-3840</cve>
<cve>CVE-2016-5629</cve>
<cve>CVE-2012-0115</cve>
<cve>CVE-2012-1688</cve>
<cve>CVE-2014-0437</cve>
<cve>CVE-2013-3812</cve>
<cve>CVE-2012-5627</cve>
<cve>CVE-2017-3639</cve>
<cve>CVE-2015-4769</cve>
<cve>CVE-2015-0391</cve>
<cve>CVE-2013-5860</cve>
<cve>CVE-2015-4730</cve>
<cve>CVE-2017-3600</cve>
<cve>CVE-2015-0374</cve>
<cve>CVE-2015-0411</cve>
<cve>CVE-2016-0666</cve>
<cve>CVE-2010-3676</cve>
<cve>CVE-2012-0489</cve>
<cve>CVE-2017-3529</cve>
<cve>CVE-2010-3834</cve>
<cve>CVE-2013-3806</cve>
<cve>CVE-2016-8290</cve>
<cve>CVE-2016-0649</cve>
<cve>CVE-2015-2639</cve>
<cve>CVE-2014-4274</cve>
<cve>CVE-2017-3453</cve>
<cve>CVE-2016-5443</cve>
<cve>CVE-2009-2446</cve>
<cve>CVE-2015-0385</cve>
<cve>CVE-2006-2753</cve>
<cve>CVE-2016-3440</cve>
<cve>CVE-2013-1552</cve>
<cve>CVE-2016-0610</cve>
<cve>CVE-2015-4862</cve>
<cve>CVE-2015-0405</cve>
<cve>CVE-2016-8284</cve>
<cve>CVE-2015-4890</cve>
<cve>CVE-2014-6463</cve>
<cve>CVE-2017-3464</cve>
<cve>CVE-2016-6664</cve>
<cve>CVE-2014-2440</cve>
<cve>CVE-2014-6500</cve>
<cve>CVE-2016-5612</cve>
<cve>CVE-2017-10384</cve>
<cve>CVE-2014-0420</cve>
<cve>CVE-2015-4910</cve>
<cve>CVE-2013-5882</cve>
<cve>CVE-2015-4752</cve>
<cve>CVE-2017-3309</cve>
<cve>CVE-2016-5437</cve>
<cve>CVE-2015-0433</cve>
<cve>CVE-2015-2611</cve>
<cve>CVE-2010-3839</cve>
<cve>CVE-2006-3081</cve>
<cve>CVE-2014-6491</cve>
<cve>CVE-2014-6474</cve>
<cve>CVE-2017-3650</cve>
<cve>CVE-2014-2451</cve>
<cve>CVE-2016-0595</cve>
<cve>CVE-2017-3633</cve>
<cve>CVE-2017-3458</cve>
<cve>CVE-2014-0431</cve>
<cve>CVE-2012-3147</cve>
<cve>CVE-2014-2434</cve>
<cve>CVE-2015-2568</cve>
<cve>CVE-2017-10378</cve>
<cve>CVE-2015-4904</cve>
<cve>CVE-2015-4800</cve>
<cve>CVE-2012-1702</cve>
<cve>CVE-2017-10311</cve>
<cve>CVE-2013-3839</cve>
<cve>CVE-2016-8289</cve>
<cve>CVE-2014-4240</cve>
<cve>CVE-2015-4791</cve>
<cve>CVE-2017-3244</cve>
<cve>CVE-2013-2395</cve>
<cve>CVE-2015-4895</cve>
<cve>CVE-2016-5634</cve>
<cve>CVE-2012-0120</cve>
<cve>CVE-2013-0375</cve>
<cve>CVE-2013-2378</cve>
<cve>CVE-2012-3158</cve>
<cve>CVE-2014-6505</cve>
<cve>CVE-2017-10268</cve>
<cve>CVE-2012-5615</cve>
<cve>CVE-2016-0505</cve>
<cve>CVE-2016-0643</cve>
<cve>CVE-2016-3614</cve>
<cve>CVE-2015-0438</cve>
<cve>CVE-2016-0609</cve>
<cve>CVE-2015-4757</cve>
<cve>CVE-2017-3644</cve>
<cve>CVE-2008-4097</cve>
<cve>CVE-2016-7440</cve>
<cve>CVE-2014-6496</cve>
<cve>CVE-2006-3486</cve>
<cve>CVE-2013-1492</cve>
<cve>CVE-2015-2661</cve>
<cve>CVE-2016-3521</cve>
<cve>CVE-2010-3681</cve>
<cve>CVE-2017-10296</cve>
<cve>CVE-2006-3469</cve>
<cve>CVE-2013-2389</cve>
<cve>CVE-2012-0494</cve>
<cve>CVE-2016-5628</cve>
<cve>CVE-2017-3638</cve>
<cve>CVE-2012-0114</cve>
<cve>CVE-2013-0386</cve>
<cve>CVE-2013-1512</cve>
<cve>CVE-2016-3588</cve>
<cve>CVE-2017-3238</cve>
<cve>CVE-2013-3811</cve>
<cve>CVE-2016-0654</cve>
<cve>CVE-2016-5507</cve>
<cve>CVE-2017-10279</cve>
<cve>CVE-2015-0503</cve>
<cve>CVE-2012-5096</cve>
<cve>CVE-2016-3495</cve>
<cve>CVE-2017-3320</cve>
<cve>CVE-2012-3197</cve>
<cve>CVE-2014-2484</cve>
<cve>CVE-2008-0226</cve>
<cve>CVE-2011-5049</cve>
<cve>CVE-2016-0665</cve>
<cve>CVE-2017-3649</cve>
<cve>CVE-2012-0488</cve>
<cve>CVE-2013-1523</cve>
<cve>CVE-2016-0648</cve>
<cve>CVE-2010-3833</cve>
<cve>CVE-2012-1735</cve>
<cve>CVE-2013-3805</cve>
<cve>CVE-2013-1506</cve>
<cve>CVE-2015-4833</cve>
<cve>CVE-2015-4816</cve>
<cve>CVE-2018-2767</cve>
<cve>CVE-2018-3054</cve>
<cve>CVE-2018-3056</cve>
<cve>CVE-2018-3058</cve>
<cve>CVE-2018-3060</cve>
<cve>CVE-2018-3061</cve>
<cve>CVE-2018-3062</cve>
<cve>CVE-2018-3063</cve>
<cve>CVE-2018-3064</cve>
<cve>CVE-2018-3065</cve>
<cve>CVE-2018-3066</cve>
<cve>CVE-2018-3067</cve>
<cve>CVE-2018-3070</cve>
<cve>CVE-2018-3073</cve>
<cve>CVE-2018-3074</cve>
<cve>CVE-2018-3075</cve>
<cve>CVE-2018-3077</cve>
<cve>CVE-2018-3078</cve>
<cve>CVE-2018-3079</cve>
<cve>CVE-2018-3080</cve>
<cve>CVE-2018-3082</cve>
<cve>CVE-2018-3084</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
Original suppression as per #946 suppressed individual CVEs.
As per false negative #4085 Postgresql JDBC driver has two CPEs of its own, so it's proper to suppress the server CPE
NOTE: the additional colon in the CPE is required to not match on prefix with cpe:/a:postgresql:postgresql_jdbc_driver
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.postgresql/postgresql@.*$</packageUrl>
<cpe>cpe:/a:postgresql:postgresql:</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #947 - instead of suppressing the whole thing, we will just
suppress specific CVE that are for the server
]]></notes>
<gav regex="true">^com\.microsoft\.sqlserver:(sqljdbc4|mssql-jdbc):.*$</gav>
<cve>CVE-2000-1081</cve>
<cve>CVE-2004-1560</cve>
<cve>CVE-2000-1083</cve>
<cve>CVE-2000-1085</cve>
<cve>CVE-2009-2503</cve>
<cve>CVE-2000-1087</cve>
<cve>CVE-2002-1123</cve>
<cve>CVE-2002-0057</cve>
<cve>CVE-2009-2501</cve>
<cve>CVE-2001-0542</cve>
<cve>CVE-2001-0344</cve>
<cve>CVE-2000-0654</cve>
<cve>CVE-2009-2528</cve>
<cve>CVE-2014-1820</cve>
<cve>CVE-1999-0999</cve>
<cve>CVE-2002-0859</cve>
<cve>CVE-2012-2552</cve>
<cve>CVE-2016-7249</cve>
<cve>CVE-2016-7250</cve>
<cve>CVE-2016-7252</cve>
<cve>CVE-2014-4061</cve>
<cve>CVE-2016-7254</cve>
<cve>CVE-2008-0086</cve>
<cve>CVE-2008-3013</cve>
<cve>CVE-2009-3126</cve>
<cve>CVE-2008-3015</cve>
<cve>CVE-2008-5416</cve>
<cve>CVE-2003-0231</cve>
<cve>CVE-2002-0187</cve>
<cve>CVE-2008-0106</cve>
<cve>CVE-2002-1872</cve>
<cve>CVE-2002-0641</cve>
<cve>CVE-2002-0224</cve>
<cve>CVE-2002-1138</cve>
<cve>CVE-2002-0643</cve>
<cve>CVE-2000-0202</cve>
<cve>CVE-2000-0402</cve>
<cve>CVE-2002-0624</cve>
<cve>CVE-2002-0645</cve>
<cve>CVE-2002-0649</cve>
<cve>CVE-2007-4814</cve>
<cve>CVE-2007-5090</cve>
<cve>CVE-2015-1761</cve>
<cve>CVE-2011-1280</cve>
<cve>CVE-2017-8516</cve>
<cve>CVE-2015-1763</cve>
<cve>CVE-2000-1082</cve>
<cve>CVE-2009-2500</cve>
<cve>CVE-2000-1084</cve>
<cve>CVE-2009-2502</cve>
<cve>CVE-2000-1086</cve>
<cve>CVE-2002-0154</cve>
<cve>CVE-2002-1145</cve>
<cve>CVE-2000-1088</cve>
<cve>CVE-2000-0199</cve>
<cve>CVE-2002-0056</cve>
<cve>CVE-2012-0158</cve>
<cve>CVE-2009-2504</cve>
<cve>CVE-2002-0650</cve>
<cve>CVE-2002-1981</cve>
<cve>CVE-2001-0509</cve>
<cve>CVE-2016-7251</cve>
<cve>CVE-2016-7253</cve>
<cve>CVE-2008-0085</cve>
<cve>CVE-2008-3012</cve>
<cve>CVE-2008-3014</cve>
<cve>CVE-1999-1556</cve>
<cve>CVE-2003-0230</cve>
<cve>CVE-2002-0186</cve>
<cve>CVE-2003-0232</cve>
<cve>CVE-2015-1762</cve>
<cve>CVE-2008-0107</cve>
<cve>CVE-2002-0982</cve>
<cve>CVE-2002-1137</cve>
<cve>CVE-2002-0642</cve>
<cve>CVE-2002-0721</cve>
<cve>CVE-2002-0644</cve>
<cve>CVE-2000-0485</cve>
<cve>CVE-2012-1856</cve>
<cve>CVE-2000-0603</cve>
<cve>CVE-2001-0879</cve>
<cve>CVE-2002-0729</cve>
<cve>CVE-2007-5348</cve>
<cve>CVE-2008-4110</cve>
<cve>CVE-2019-1068</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #1662
]]></notes>
<gav regex="true">^net\.sourceforge\.jtds:jtds:.*$</gav>
<cpe>cpe:/a:microsoft:sql_server</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #999 - instead of suppressing the whole thing, we will just
suppress specific CVE that are for the server. Added CVEs per #2863.
]]></notes>
<gav regex="true">^org\.mariadb\.jdbc:mariadb-java-client:.*$</gav>
<cve>CVE-2017-15365</cve>
<cve>CVE-2017-15945</cve>
<cve>CVE-2016-5440</cve>
<cve>CVE-2016-5584</cve>
<cve>CVE-2014-6500</cve>
<cve>CVE-2016-5444</cve>
<cve>CVE-2014-6555</cve>
<cve>CVE-2016-0597</cve>
<cve>CVE-2016-5625</cve>
<cve>CVE-2014-6559</cve>
<cve>CVE-2016-0655</cve>
<cve>CVE-2016-5627</cve>
<cve>CVE-2016-5629</cve>
<cve>CVE-2012-5627</cve>
<cve>CVE-2016-3492</cve>
<cve>CVE-2016-6663</cve>
<cve>CVE-2016-3452</cve>
<cve>CVE-2016-5630</cve>
<cve>CVE-2016-5632</cve>
<cve>CVE-2017-3302</cve>
<cve>CVE-2016-3477</cve>
<cve>CVE-2016-0641</cve>
<cve>CVE-2014-6464</cve>
<cve>CVE-2012-5611</cve>
<cve>CVE-2016-0666</cve>
<cve>CVE-2012-5613</cve>
<cve>CVE-2016-0668</cve>
<cve>CVE-2012-5615</cve>
<cve>CVE-2016-0505</cve>
<cve>CVE-2016-0649</cve>
<cve>CVE-2016-0647</cve>
<cve>CVE-2014-6507</cve>
<cve>CVE-2016-0609</cve>
<cve>CVE-2016-5634</cve>
<cve>CVE-2016-0643</cve>
<cve>CVE-2016-7440</cve>
<cve>CVE-2014-6494</cve>
<cve>CVE-2015-3152</cve>
<cve>CVE-2014-6496</cve>
<cve>CVE-2016-0650</cve>
<cve>CVE-2016-0596</cve>
<cve>CVE-2016-0598</cve>
<cve>CVE-2016-0610</cve>
<cve>CVE-2016-5626</cve>
<cve>CVE-2012-4414</cve>
<cve>CVE-2016-5507</cve>
<cve>CVE-2016-5609</cve>
<cve>CVE-2016-0616</cve>
<cve>CVE-2016-5628</cve>
<cve>CVE-2016-3521</cve>
<cve>CVE-2016-6662</cve>
<cve>CVE-2016-3495</cve>
<cve>CVE-2016-6664</cve>
<cve>CVE-2016-5631</cve>
<cve>CVE-2016-2047</cve>
<cve>CVE-2016-5612</cve>
<cve>CVE-2016-0640</cve>
<cve>CVE-2012-2122</cve>
<cve>CVE-2016-3459</cve>
<cve>CVE-2012-5612</cve>
<cve>CVE-2016-0644</cve>
<cve>CVE-2012-5614</cve>
<cve>CVE-2014-0001</cve>
<cve>CVE-2016-0546</cve>
<cve>CVE-2013-1861</cve>
<cve>CVE-2016-0600</cve>
<cve>CVE-2016-0606</cve>
<cve>CVE-2016-0646</cve>
<cve>CVE-2016-0608</cve>
<cve>CVE-2016-0648</cve>
<cve>CVE-2016-3615</cve>
<cve>CVE-2016-5635</cve>
<cve>CVE-2016-5633</cve>
<cve>CVE-2014-6469</cve>
<cve>CVE-2014-6491</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #943
]]></notes>
<gav regex="true">^cn\.guoyukun\.jdbc:db2jcc_license_cu:.*$</gav>
<cpe>cpe:/a:ibm:db2</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #943 - instead of suppressing the whole thing, we will just
suppress specific CVE that are for the server
]]></notes>
<gav regex="true">^cn\.guoyukun\.jdbc:db2jcc:.*$</gav>
<cve>CVE-2007-2582</cve>
<cve>CVE-2012-2194</cve>
<cve>CVE-2008-0696</cve>
<cve>CVE-2009-4327</cve>
<cve>CVE-2013-3475</cve>
<cve>CVE-2009-1239</cve>
<cve>CVE-2014-6159</cve>
<cve>CVE-2010-3740</cve>
<cve>CVE-2012-3324</cve>
<cve>CVE-2012-0711</cve>
<cve>CVE-2017-1519</cve>
<cve>CVE-2015-1935</cve>
<cve>CVE-2009-4330</cve>
<cve>CVE-2014-3095</cve>
<cve>CVE-2009-4334</cve>
<cve>CVE-2005-4870</cve>
<cve>CVE-2010-3193</cve>
<cve>CVE-2013-4033</cve>
<cve>CVE-2008-6820</cve>
<cve>CVE-2016-5995</cve>
<cve>CVE-2009-4438</cve>
<cve>CVE-2010-3197</cve>
<cve>CVE-2015-0157</cve>
<cve>CVE-2007-1228</cve>
<cve>CVE-2017-1105</cve>
<cve>CVE-2012-2180</cve>
<cve>CVE-2010-3734</cve>
<cve>CVE-2010-3738</cve>
<cve>CVE-2012-0709</cve>
<cve>CVE-2008-4691</cve>
<cve>CVE-2009-3473</cve>
<cve>CVE-2017-1150</cve>
<cve>CVE-2008-2154</cve>
<cve>CVE-2014-6210</cve>
<cve>CVE-2007-3676</cve>
<cve>CVE-2008-0697</cve>
<cve>CVE-2009-4328</cve>
<cve>CVE-2012-0712</cve>
<cve>CVE-2009-4331</cve>
<cve>CVE-2009-4335</cve>
<cve>CVE-2005-4871</cve>
<cve>CVE-2010-3194</cve>
<cve>CVE-2008-6821</cve>
<cve>CVE-2009-4439</cve>
<cve>CVE-2008-3958</cve>
<cve>CVE-2012-1796</cve>
<cve>CVE-2010-3731</cve>
<cve>CVE-2009-1905</cve>
<cve>CVE-2011-0731</cve>
<cve>CVE-2014-4805</cve>
<cve>CVE-2010-3735</cve>
<cve>CVE-2015-1922</cve>
<cve>CVE-2014-0907</cve>
<cve>CVE-2008-4692</cve>
<cve>CVE-2009-2860</cve>
<cve>CVE-2003-1051</cve>
<cve>CVE-2009-4325</cve>
<cve>CVE-2006-4257</cve>
<cve>CVE-2012-2196</cve>
<cve>CVE-2017-1451</cve>
<cve>CVE-2008-0698</cve>
<cve>CVE-2009-4329</cve>
<cve>CVE-2013-6744</cve>
<cve>CVE-2008-1966</cve>
<cve>CVE-2011-1373</cve>
<cve>CVE-2005-4869</cve>
<cve>CVE-2016-0211</cve>
<cve>CVE-2017-1434</cve>
<cve>CVE-2010-1560</cve>
<cve>CVE-2011-4061</cve>
<cve>CVE-2014-8910</cve>
<cve>CVE-2012-0713</cve>
<cve>CVE-2017-1438</cve>
<cve>CVE-2017-1297</cve>
<cve>CVE-2009-4332</cve>
<cve>CVE-2005-2073</cve>
<cve>CVE-2010-3195</cve>
<cve>CVE-2017-1520</cve>
<cve>CVE-2013-5466</cve>
<cve>CVE-2008-1998</cve>
<cve>CVE-2009-2858</cve>
<cve>CVE-2008-3959</cve>
<cve>CVE-2012-1797</cve>
<cve>CVE-2010-3732</cve>
<cve>CVE-2014-6209</cve>
<cve>CVE-2009-1906</cve>
<cve>CVE-2012-4826</cve>
<cve>CVE-2010-3736</cve>
<cve>CVE-2011-0757</cve>
<cve>CVE-2011-1846</cve>
<cve>CVE-2007-5090</cve>
<cve>CVE-2010-3474</cve>
<cve>CVE-2013-6717</cve>
<cve>CVE-2009-3471</cve>
<cve>CVE-2008-4693</cve>
<cve>CVE-2007-5652</cve>
<cve>CVE-2003-1052</cve>
<cve>CVE-2009-4326</cve>
<cve>CVE-2017-1452</cve>
<cve>CVE-2012-2197</cve>
<cve>CVE-2008-0699</cve>
<cve>CVE-2010-0472</cve>
<cve>CVE-2017-1439</cve>
<cve>CVE-2012-0710</cve>
<cve>CVE-2014-0919</cve>
<cve>CVE-2009-4150</cve>
<cve>CVE-2014-3094</cve>
<cve>CVE-2009-4333</cve>
<cve>CVE-2013-4032</cve>
<cve>CVE-2010-3196</cve>
<cve>CVE-2007-1027</cve>
<cve>CVE-2015-1883</cve>
<cve>CVE-2014-8901</cve>
<cve>CVE-2010-3475</cve>
<cve>CVE-2010-0462</cve>
<cve>CVE-2009-2859</cve>
<cve>CVE-2010-3733</cve>
<cve>CVE-2010-3737</cve>
<cve>CVE-2011-1847</cve>
<cve>CVE-2009-3472</cve>
<cve>CVE-2014-6097</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1191
]]></notes>
<gav regex="true">^org\.xerial:sqlite-jdbc:.*$</gav>
<cve>CVE-2016-6153</cve>
<cve>CVE-2017-10989</cve>
<cve>CVE-2018-8740</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positive on io.gitlab.arturbosch caused by cpe:/a:gitlab
]]></notes>
<gav regex="true">^io\.gitlab\.arturbosch\.detekt:detekt-.+:.*$</gav>
<cpe>cpe:/a:gitlab:gitlab</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positive per #2721 on org.bouncycastle:bcpg-jdk15on
caused by cpe:/a:openpgp:openpgp, cpe:/a:pgp:openpgp and cpe:/a:pgp:pgp
]]></notes>
<gav regex="true">^org\.bouncycastle:bcpg-jdk15on:.*$</gav>
<cpe>cpe:/a:openpgp:openpgp</cpe>
<cpe>cpe:/a:pgp:openpgp</cpe>
<cpe>cpe:/a:pgp:pgp</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positive per #2721 on name.neuhalfen.projects.crypto.bouncycastle.openpgp:bouncy-gpg
caused by cpe:/a:gpg-pgp_project::gpg-pgp and cpe:/a:openpgp:openpgp
]]></notes>
<gav regex="true">^name\.neuhalfen\.projects\.crypto\.bouncycastle\.openpgp:bouncy-gpg:.*$</gav>
<cpe>cpe:/a:gpg-pgp_project::gpg-pgp</cpe>
<cpe>cpe:/a:openpgp:openpgp</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per #1749
JCraft's agentproxy is a proxy to ssh-agent and Pageant, not the pure-Java SSH2 implementation Jsch
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.jcraft/jsch\.agentproxy.*$</packageUrl>
<cpe>cpe:/a:jcraft:jsch</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positive per #2977 on org.infinispan.protostream:protostream
false positive per #3766 on org.infinispan.protostream:protostream-types
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.infinispan\.protostream/protostream.*$</packageUrl>
<cpe>cpe:/a:infinispan:infinispan</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positive per #3026 on io.hawtio.hawtio-wildfly
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.hawt/hawtio\-wildfly@.*$</packageUrl>
<cpe>cpe:/a:hawt:hawtio</cpe>
<cpe>cpe:/a:hawt.io:hawtio</cpe>
<cpe>cpe:/a:redhat:wildfly</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positive per #3170 ant-contrib is not the Tasks Android app
]]></notes>
<packageUrl regex="true">^pkg:maven/ant\-contrib/ant\-contrib@.*$</packageUrl>
<cpe>cpe:/a:tasks:tasks</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positive per #3151
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.camel/camel\-hazelcast@.*$</packageUrl>
<cpe>cpe:/a:hazelcast:hazelcast</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positive per #3185 spotify docker-client library is neither docker nor spotify
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.spotify/docker\-client@.*$</packageUrl>
<cpe>cpe:/a:docker:docker</cpe>
<cpe>cpe:/a:spotify:spotify</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positive per #3132 Play WS Standalone (https://github.com/playframework/play-ws) is not the Play framework (https://github.com/playframework/playframework)
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.typesafe\.play/play\-.*ws\-standalone.*@.*$</packageUrl>
<cpe>cpe:/a:playframework:play_framework</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positive per #3066 on mybatis-spring-boot-starter
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.mybatis\.spring\.boot/mybatis\-spring\-boot.*$</packageUrl>
<cpe>cpe:/a:mybatis:mybatis</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positive per #3271 on org.apache.sis.storage
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.sis\.storage/sis\-.*$</packageUrl>
<cpe>cpe:/a:storage_project:storage</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positive per #3285 on com.amazonaws:aws-java-sdk-eks
generalized for #3531: if it's not in the io.kubernetes maven group it's not the kubernetes java client
]]></notes>
<packageUrl regex="true">^pkg:maven/(?!io.kubernetes).*/.*@.*$</packageUrl>
<cpe>cpe:/a:kubernetes:java</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: openshift-model-clusterautoscaling-5.5.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.fabric8/openshift\-model\-clusterautoscaling@.*$</packageUrl>
<cpe>cpe:/a:redhat:cluster_project</cpe>
<cpe>cpe:/a:redhat:mod_cluster</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: openshift-model-machineconfig-5.5.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.fabric8/openshift\-model\-machineconfig@.*$</packageUrl>
<cpe>cpe:/a:redhat:machine-config-operator</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positive per #3284 on com.amazonaws:aws-java-sdk-storagegateway
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.amazonaws/aws\-java\-sdk\-storagegateway@.*$</packageUrl>
<cpe>cpe:/a:storage_project:storage</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positive per #3283 on com.amazonaws:aws-java-sdk-sagemakerruntime
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.amazonaws/aws\-java\-sdk\-sagemakerruntime@.*$</packageUrl>
<cpe>cpe:/a:sage:sage</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positive per #3282 on org.mybatis.generator:mybatis-generator-core
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.mybatis\.generator/mybatis\-generator\-core@.*$</packageUrl>
<cpe>cpe:/a:mybatis:mybatis</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positive per #3298 on org.wildfly.core:wildfly-protocol-15.0.0.Final
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.wildfly\.core/wildfly\-protocol@.*$</packageUrl>
<cpe>cpe:/a:redhat:wildfly</cpe>
<cpe>cpe:/a:redhat:wildfly_core</cpe>
<cpe>cpe:/a:wildfly:wildfly</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positive per #3825
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.hibernate/quarkus\-local\-cache@.*$</packageUrl>
<cpe>cpe:/a:hibernate:hibernate_orm</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positive per #3301 on org.owasp:csrfguard-jsp-tags.4.0.0
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.owasp/csrfguard\-.*$</packageUrl>
<cpe>cpe:/a:php:com_extensions</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
As per #3270 groupIds io.quarkus.security, io.quarkus.http and io.quarkus.gizmo have their own CPE and are not linked to the main quarkus:quarkus CPE
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.quarkus\.(security|gizmo|http)/.*$</packageUrl>
<cpe>cpe:/a:quarkus:quarkus</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per issue #3823 - broadened regex to match any groupId that's not in the io.quarkus space
]]></notes>
<gav regex="true">^(?!(io\.quarkus)).*:.*quarkus.*$</gav>
<cpe>cpe:/a:quarkus:quarkus</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
As per #3824 quarkus-jdbc-postgesql wrongly detected as cpe postgreSQL
Oracle and MySQL jdbc connector projects are affected by a similar problem
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.quarkus/quarkus-jdbc-.*$</packageUrl>
<cpe>cpe:/a:mysql:mysql</cpe>
<cpe>cpe:/a:oracle:jdbc</cpe>
<cpe>cpe:/a:postgresql:postgresql</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per 3826, 4467; quarkus component falsely flagged as redhat resteasy product
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.quarkus.*/.*resteasy.*@.*$</packageUrl>
<cpe>cpe:/a:redhat:resteasy</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positive per #3350 on org.apache.xmlgraphics:batik-i18n.1.14 CVE is for C#
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.xmlgraphics/batik\-i18n@.*$</packageUrl>
<cpe>cpe:/a:apache:batik</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Library related to prometheus is being flagged as prometheus itself (#3470)
]]></notes>
<packageUrl regex="true">^pkg:maven\/com\.github\.anti-social[.\/]prometheus-kt.*$</packageUrl>
<cpe>cpe:/a:prometheus:prometheus</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Oracle JDBC drivers are not the database server
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.oracle\.database\.jdbc/.*@.*$</packageUrl>
<cpe>cpe:/a:oracle:database</cpe>
<cpe>cpe:/a:oracle:oracle_database</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Oracle JDBC drivers are not the database server
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.oracle\.database\.security/.*@.*$</packageUrl>
<cpe>cpe:/a:oracle:database</cpe>
<cpe>cpe:/a:oracle:oracle_database</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Oracle JDBC drivers are not the database server
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.oracle\.database\.ha/.*@.*$</packageUrl>
<cpe>cpe:/a:oracle:database</cpe>
<cpe>cpe:/a:oracle:oracle_database</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses all artifacts of Pivotal java-cfenv modules #3480
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.pivotal\.cfenv/.*@.*$</packageUrl>
<cpe>cpe:/a:pivotal_software:spring_boot</cpe>
<cpe>cpe:/a:pivotal_software:spring_framework</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
See issue #3384
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.qameta\.allure/allure\-httpclient@.*$</packageUrl>
<cpe>cpe:/a:apache:httpclient</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: google-http-client-apache-v2-1.39.2.jar Issue #3348
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.google\.http\-client/google\-http\-client\-apache\-v2@.*$</packageUrl>
<cpe>cpe:/a:apache:httpclient</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP CPE match triggered by the hint for issue #3337
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.adobe\.aem/uber\-jar@.*$</packageUrl>
<cpe>cpe:/a:adobe:experience_manager_forms</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
suppress false CPE for mssql-on-azure backend for django #3500
]]></notes>
<packageUrl regex="true">^pkg:pypi/mssql\-django@.*$</packageUrl>
<cpe>cpe:/a:django_project:django</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: fast-uuid-0.1.jar #3336
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.eatthepath/fast\-uuid@.*$</packageUrl>
<cpe>cpe:/a:fast_ber_project:fast_ber</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: logback-elasticsearch-appender-1.6.jar #3549
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.internetitem/logback\-elasticsearch\-appender@.*$</packageUrl>
<cpe>cpe:/a:elasticsearch:elasticsearch</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
xercesImpl-2.12.1.jar as matched by Central Search in the CLI hits a FP CPE match #3253
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.exist\-db\.thirdparty\.xerces/xercesImpl@.*$</packageUrl>
<cpe>cpe:/a:exist-db:exist</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
several python-* PyPI packages hit a FP CPE match #3233 & #3017 & #5335
as Python itself is not a PyPI package suppress it with a broad regex
]]></notes>
<packageUrl regex="true">^pkg:pypi/.*python\-.*$</packageUrl>
<cpe>cpe:/a:python:python</cpe>
<cpe>cpe:/a:python_software_foundation:python</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
python-keycloak gets mistaken for the keycloak cpe #3017
]]></notes>
<packageUrl regex="true">^pkg:pypi/python\-keycloak@.*$</packageUrl>
<cpe>cpe:/a:keycloak:keycloak</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
The sonar java analyzer is a separate project from the SonarQube server project #3086
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.sonarsource\.java/.*$</packageUrl>
<cpe>cpe:/a:sonarsource:sonarqube</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Struts annotations is not the struts framework, but a separately versions annotations API library #3088
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.struts/struts\-annotations@.*$</packageUrl>
<cpe>cpe:/a:apache:struts</cpe>
</suppress>
<!-- begin cpan support-->
<suppress base="true">
<notes><![CDATA[
broad suppressions for all cpan
]]></notes>
<packageUrl regex="true">^pkg:cpan/.*$</packageUrl>
<cpe>cpe:/a:mysql:mysql</cpe>
<cpe>cpe:/a:next:next</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
broad suppressions for all cpan
]]></notes>
<packageUrl regex="true">^pkg:cpan/(?!perl@).*$</packageUrl>
<cpe>cpe:/a:perl:perl</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: 'Catmandu::Store::ElasticSearch', '0.0507'
]]></notes>
<packageUrl regex="true">^pkg:cpan/Catmandu%3A%3AStore/ElasticSearch@.*$</packageUrl>
<cpe>cpe:/a:elastic:elasticsearch</cpe>
<cpe>cpe:/a:elasticsearch:elasticsearch</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: 'DateTime::Format::MySQL', '0.04'
]]></notes>
<packageUrl regex="true">^pkg:cpan/DateTime%3A%3AFormat/MySQL@.*$</packageUrl>
<cpe>cpe:/a:www-sql_project:www-sql</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: 'MARC::File::XML', '1.0.1'
]]></notes>
<packageUrl regex="true">^pkg:cpan/MARC%3A%3AFile.*$</packageUrl>
<cpe>cpe:/a:file_project:file</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: 'File::Spec', '0'
]]></notes>
<packageUrl regex="true">^pkg:cpan/(IO%3A%3A)?File.*$</packageUrl>
<cpe>cpe:/a:file_project:file</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: 'SQL::Abstract', '0'
]]></notes>
<packageUrl regex="true">^pkg:cpan/SQL/.*$</packageUrl>
<cpe>cpe:/a:www-sql_project:www-sql</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: 'DBIx::Class::InflateColumn::DateTime', '0'
]]></notes>
<packageUrl regex="true">^pkg:cpan/.*DateTime.*$</packageUrl>
<cpe>cpe:/a:time_project:time</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: 'Dist::Zilla::Plugin::Git::NextVersion', '1.120370'
]]></notes>
<packageUrl regex="true">^pkg:cpan/Dist%3A%3AZilla%3A%3APlugin%3A%3AGit.*$</packageUrl>
<cpe>cpe:/a:git_project:git</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: 'Net::SSH2', '0.70'
]]></notes>
<packageUrl regex="true">^pkg:cpan/Net/SSH2@.*$</packageUrl>
<cpe>cpe:/a:ssh:ssh</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: 'Facebook::Graph', '0'
]]></notes>
<packageUrl regex="true">^pkg:cpan/(Net%3A%3A)?Facebook.*$</packageUrl>
<cve>CVE-2008-0660</cve>
<cve>CVE-2014-6392</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive as per #3594
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.nimbusds/lang\-tag@.*$</packageUrl>
<cpe>cpe:/a:nim-lang:nim-lang</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: hive-storage-api-2.8.1.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.hive/hive\-storage\-api@.*$</packageUrl>
<cve>CVE-2020-13949</cve>
</suppress>
<!-- end cpan support -->
<suppress base="true">
<notes><![CDATA[
False positive as per #3790
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.logging\.log4j/log4j\-api\-kotlin@.*$</packageUrl>
<cpe>cpe:/a:apache:log4j</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive as per #3715
]]></notes>
<packageUrl regex="true">^pkg:maven/javax\.xml\.crypto/jsr105-api@.*$</packageUrl>
<cpe>cpe:/a:apache:xml_security_for_java</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #3842 nginx-clojure is not part of the nginx project, but an external clojure module for it
]]></notes>
<packageUrl regex="true">^pkg:maven/nginx\-clojure/nginx\-clojure@.*$</packageUrl>
<cpe>cpe:/a:nginx:nginx</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive as per #3868
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.logging\.log4j/log4j\-to\-slf4j@.*$</packageUrl>
<cpe>cpe:/a:apache:log4j</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #3889
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.netty/netty\-tcnative\-classes@.*$</packageUrl>
<cpe>cpe:/a:netty:netty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #3830 - as the netty incubator projects are separate from the mainline of netty
it can be assumed that NVD will assign a separate CPE if there is ever a CVE registered
for an incubator project.
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.netty\.incubator/.*$</packageUrl>
<cpe>cpe:/a:netty:netty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP because reactor-kafka from version 1.3.2 updated the kafka-clients dependency to version 2.6.1
which does apply to the CVE
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.projectreactor\.kafka/reactor\-kafka@[1-9]+?[\.]+(((([4-9]+)|[0-9]{2,3}?)+[\.]+[0-9]{1,3}?)|([3\.]+([2-9]|[1-9]+[0-9]+?)))+(.*)$</packageUrl>
<cpe>cpe:/a:apache:kafka</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive as per #4077
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.itextpdf/pdfrender@.*$</packageUrl>
<cpe>cpe:/a:itextpdf:itext</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.tomcat/annotations\-api@.*$</packageUrl>
<cpe>cpe:/a:apache:tomcat</cpe>
<cpe>cpe:/a:apache_tomcat:apache_tomcat</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4129
]]></notes>
<packageUrl regex="true">^pkg:maven/jakarta\.ws\.rs/jakarta\.ws\.rs-api@.*$</packageUrl>
<cpe>cpe:/a:oracle:java_se</cpe>
<cpe>cpe:/a:oracle:web_services</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4131
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.graylog2/gelfclient@.*$</packageUrl>
<cpe>cpe:/a:graylog:graylog</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4133
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.mariadb\.jdbc/mariadb-java-client@.*$</packageUrl>
<cpe>cpe:/a:mariadb:mariadb</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4135
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.eclipse/yasson@.*$</packageUrl>
<cpe>cpe:/a:oracle:projects</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4140, 4256
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.aspectj/aspectj.*@.*$</packageUrl>
<cpe>cpe:/a:vmware:tools</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4149
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.kafka/kafka-log4j-appender@.*$</packageUrl>
<cpe>cpe:/a:apache:log4j</cpe>
<cpe>cpe:/a:apache:kafka</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4156
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.lightbend\.akka\.management/akka-management-cluster-bootstrap_2\.13@.*$</packageUrl>
<cpe>cpe:/a:akka:akka</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4154, #4776
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.netty/netty-tcnative-boringssl-static@.*$</packageUrl>
<cpe>cpe:/a:chromium:chromium</cpe>
<cpe>cpe:/a:chromium_project:chromium</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppress many FPs in apache projects that have james in the (developer) evidences now triggering apache james
#4123, #4128, #4132, #4136, #4137, #4138, #4145, #4146
]]></notes>
<packageUrl regex="true">^pkg:maven/(?!org\.apache\.james/).*$</packageUrl>
<cpe>cpe:/a:apache:james</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP because cpe make reference to a GO library
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.ibm\.etcd/etcd\-java@.*$</packageUrl>
<cpe>cpe:/a:etcd:etcd</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Supress FP in cryptomator libraries, because linked CVE-2022-25366 only affects end user application. (#4177)
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.cryptomator/(?!cryptomator).*$</packageUrl>
<cpe>cpe:/a:cryptomator:cryptomator</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP because quarkus-apache-httpclient is a wrapper of apache-httpclient with different version as per #4217
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.quarkus/quarkus\-apache\-httpclient@.*$</packageUrl>
<cpe>cpe:/a:apache:httpclient</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4219
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.github\.blagerweij/liquibase-sessionlock@.*$</packageUrl>
<cpe>cpe:/a:liquibase:liquibase</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
org.apache.james:apache-mime4j and apache-mime4j-* FPs #3987 #4842
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.james/apache\-mime4j(\-.+)?@.*$</packageUrl>
<cpe>cpe:/a:apache:james:</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
log4cats-core_2.13-2.2.0.jar FPs #4295
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.typelevel/log4cats\-core_2\.13@.*$</packageUrl>
<cpe>cpe:/a:davenport:davenport</cpe>
<cpe>cpe:/a:protonmail:protonmail</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP CPE match per #4289
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.bouncycastle/bc\-fips@.*$</packageUrl>
<cpe>cpe:/a:bouncycastle:legion-of-the-bouncy-castle:</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4239 - jackson-jaxrs (jackson-jaxrs-json-provider) is not jackson-databind
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.codehaus\.jackson/jackson-jaxrs@.*$</packageUrl>
<cpe>cpe:/a:fasterxml:jackson-databind</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4228
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.minio/minio@.*$</packageUrl>
<cpe>cpe:/a:minio:minio</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4227 simple-xml-safe is a security-patched fork of the unmaintained simple-xml
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.carrotsearch\.thirdparty/simple-xml-safe@.*$</packageUrl>
<cpe>cpe:/a:simplexml_project:simplexml</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4208 suppress CVE for explicit version as CPE 'update' field is not supported and CVE is only for the 5.1 beta-1
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.hazelcast/hazelcast@(?!5\.1-BETA-1).*$</packageUrl>
<cve>CVE-2022-0265</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4316
]]></notes>
<packageUrl regex="true">^pkg:maven/ch\.qos\.reload4j/reload4j@.*$</packageUrl>
<cpe>cpe:/a:apache:log4j</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4317
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.mattbertolini/liquibase-slf4j@.*$</packageUrl>
<cpe>cpe:/a:liquibase:liquibase</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4344
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.pinterest\.ktlint/ktlint-reporter-checkstyle@.*$</packageUrl>
<cpe>cpe:/a:checkstyle:checkstyle</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4370
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.james/apache\-mime4j\-dom@.*$</packageUrl>
<cpe>cpe:/a:jdom:jdom</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4376; Allegro for Windows, formerly known as Popsy for Windows is an entirely different
product (by Allegro, website: allegro.be) from the pl.allegro libraries (by Allegro Tech - website allegro.tech,
github allegro organisation)
]]></notes>
<packageUrl regex="true">^pkg:maven/pl\.allegro\..*$</packageUrl>
<cpe>cpe:/a:allegro:allegro</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4368, #4384, #4369 async_project:async is an npm package
]]></notes>
<packageUrl regex="true">^pkg:maven/.*async.*@.*$</packageUrl>
<cpe>cpe:/a:async_project:async</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4425 - CVE resides in the impl, not in the api
]]></notes>
<packageUrl regex="true">^pkg:maven/jakarta\.el/jakarta\.el-api@.*$</packageUrl>
<cve>CVE-2021-28170</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4427; struts-legacy is a very minimal subset of 2 generic utility classes
split off from strutsv1, not the struts framework itself
]]></notes>
<packageUrl regex="true">^pkg:maven/struts/struts-legacy@.*$</packageUrl>
<cpe>cpe:/a:apache:struts</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4386
]]></notes>
<packageUrl regex="true">^pkg:maven/(org\.apache\.)?ant/ant\-apache\-log4j@.*$</packageUrl>
<cpe>cpe:/a:apache:ant</cpe>
<cpe>cpe:/a:apache:log4j</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4382
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.swagger\.codegen\.v3/swagger-codegen-generators@.*$</packageUrl>
<cpe>cpe:/a:swagger:swagger-codegen</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4168; as we lack support for the target_sw field suppress the CVE of the python agent
]]></notes>
<packageUrl regex="true">^pkg:maven/co\.elastic\.apm/apm-agent.*$</packageUrl>
<cve>CVE-2019-7617</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4061; also added firebird which suffers from a similar FP
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.flywaydb/.*$</packageUrl>
<cpe>cpe:/a:mysql:mysql</cpe>
<cpe>cpe:/a:firebird:firebird</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4016; ratpack-pac4j is neither pac4j nor ratpack, but a bridge library with its own release schedule
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.pac4j/ratpack\-pac4j@.*$</packageUrl>
<cpe>cpe:/a:pac4j:pac4j</cpe>
<cpe>cpe:/a:ratpack:ratpack</cpe>
<cpe>cpe:/a:ratpack_project:ratpack</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4440
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.activemq/activeio\-core@.*$</packageUrl>
<cpe>cpe:/a:apache:activemq</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4445
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.rxtx/rxtx@.*$</packageUrl>
<cpe>cpe:/a:gnu:parallel</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4465
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.iq80\.snappy/snappy@.*$</packageUrl>
<cpe>cpe:/a:electrum:electrum</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4462, #4463, #4464; akka management modules are separate from akka core (and from the non-core akka HTTP modules)
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.lightbend\.akka\.management/akka\-.*@.*$</packageUrl>
<cpe>cpe:/a:akka:akka</cpe>
<cpe>cpe:/a:lightbend:akka</cpe>
<cpe>cpe:/a:lightbend:akka-http</cpe>
<cpe>cpe:/a:lightbend:akka_http</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4461 akka management discovery modules are separate from akka core
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.lightbend\.akka\.discovery/akka\-.*@.*$</packageUrl>
<cpe>cpe:/a:akka:akka</cpe>
<cpe>cpe:/a:lightbend:akka</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4442; Eclipse Orbit is bundling thirdparty libraries as OSGI bundle, so org.eclipse.jetty.orbit libs
should not be linked to Jetty
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty\.orbit/.*$</packageUrl>
<cpe>cpe:/a:jetty:jetty</cpe>
<cpe>cpe:/a:eclipse:jetty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4439
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.google\.cloud/spring-cloud-gcp-starter-sql-postgresql@.*$</packageUrl>
<cpe>cpe:/a:postgresql:postgresql</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4435; Sarif4k is not the Kotlin static analyzer Detekt
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.github\.detekt\.sarif4k/sarif4k@.*$</packageUrl>
<cpe>cpe:/a:detekt:detekt</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4263; prince-java-wrapper is an independently versioned wrapper to call the princeXML binary
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.princexml/prince-java-wrapper@.*$</packageUrl>
<cpe>cpe:/a:princexml:princexml</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4487, FP per issue #4551
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.google\.(?!code\.gson).*/.*gson.*$</packageUrl>
<cpe>cpe:/a:google:gson</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4490; Datastax driver for Cassandra is not part of the Cassandra project
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.datastax\.cassandra/cassandra-driver-core@.*$</packageUrl>
<cpe>cpe:/a:apache:cassandra</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
quarkus-liquibase is a wrapper of liquibase:liquibase with a lower version
]]></notes>
<packageUrl regex="true">^pkg\:maven/io\.quarkus.*/quarkus\-liquibase(-[a-z]+)?@.*</packageUrl>
<cpe>cpe:/a:liquibase:liquibase</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
quarkus-container-image-docker is not docker:docker and maintains an independent version
]]></notes>
<packageUrl regex="true">^pkg\:maven/io\.quarkus/quarkus\-container\-image\-docker@.*</packageUrl>
<cpe>cpe:/a:docker:docker</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
quarkus-spring-boot-orm-api has an independent version and does not inherit the product's version
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.quarkus/quarkus\-spring\-boot\-orm\-api@.*$</packageUrl>
<cpe>cpe:/a:quarkus:quarkus</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
quarkus-spring-data-commons-api and quarkus-spring-data-jpa-api have an independent version and do not inherit the product's version
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.quarkus/quarkus\-spring\-data\-(commons|jpa)\-api@.*$</packageUrl>
<cpe>cpe:/a:quarkus:quarkus</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #4502. When there is spring somewhere in an artifact, but the groupId is
not springframework (up to 1.2.6) or org.springframework (all versions) it's not the
Spring Framework.
]]></notes>
<gav regex="true">^(?!(org\.)springframework).*:.*spring.*$</gav>
<cpe>cpe:/a:pivotal_software:spring_framework</cpe>
<cpe>cpe:/a:springsource:spring_framework</cpe>
<cpe>cpe:/a:vmware:spring_framework</cpe>
<cpe>cpe:/a:vmware:springsource_spring_framework</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4514
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.axis2/axis2-xmlbeans@.*$</packageUrl>
<cpe>cpe:/a:apache:xmlbeans</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4518; http-swagger is a SwagGo Go-librarie, not one of the swagger.io libraries
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.swagger/.*$</packageUrl>
<cpe>cpe:/a:http-swagger_project:http-swagger</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4560. Tomcat jakartaee-migration utility is other project than Apache Tomcat itself
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.tomcat/jakartaee-migration@.*$</packageUrl>
<cpe>cpe:/a:apache:tomcat</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4554; archiver_project:archiver is a go-module, not the NPM package
]]></notes>
<packageUrl regex="true">^pkg:npm/archiver@.*$</packageUrl>
<cpe>cpe:/a:archiver_project:archiver</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4540
]]></notes>
<packageUrl regex="true">^pkg:maven/tyrex/tyrex@.*$</packageUrl>
<cpe>cpe:/a:sun:j2ee</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4524; Zipkin Brave-aws is not the Brave desktop browser
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.zipkin\.aws/brave-propagation-aws@.*$</packageUrl>
<cpe>cpe:/a:brave:brave</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4205;
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.quarkus/quarkus-micrometer-registry-prometheus@.*$</packageUrl>
<cpe>cpe:/a:prometheus:prometheus</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #3888;
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.activemq/activemq\-artemis\-native@.*$</packageUrl>
<cpe>cpe:/a:apache:activemq</cpe>
<cpe>cpe:/a:apache:activemq_artemis</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Spring-framework libraries always have groupId org.springframework with no further extension, so suppress the
spring_framework CPE on other Spring libraries
Fixes FPs of #4364, #4363, #4362, 4353, #4351, #4350, #4349
Also replaces pre-existing suppressions of Spring-framework for #1566, #3580, #3749, #3738, #1027, #1328, #1921,
#642, #700, #3579, #1399, #1060
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\..*$</packageUrl>
<cpe>cpe:/a:springsource:spring_framework</cpe>
<cpe>cpe:/a:pivotal:spring_framework</cpe>
<cpe>cpe:/a:pivotal_software:spring_framework</cpe>
<cpe>cpe:/a:vmware:springsource_spring_framework</cpe>
<cpe>cpe:/a:vmware:spring_framework</cpe>
</suppress>
<!-- region Spring-security suppressions -->
<suppress base="true">
<notes><![CDATA[
False positive per #3622, #4561. Spring-boot-starter-oauth2-client gets flagged with wrong spring CPEs.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.boot/spring\-boot\-starter\-oauth2\-client@.*$</packageUrl>
<cpe>cpe:/a:pivotal:spring_security_oauth</cpe>
<cpe>cpe:/a:pivotal:spring_security</cpe>
<cpe>cpe:/a:pivotal_software:spring_security_oauth</cpe>
<cpe>cpe:/a:pivotal_software:spring_security</cpe>
<cpe>cpe:/a:vmware:spring_security</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
spring-boot-starter-security is not the same as spring-security, See #1975, #4563
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.boot/spring-boot-starter-security@.*$</packageUrl>
<cpe>cpe:/a:pivotal_software:spring_security</cpe>
<cpe>cpe:/a:vmware:spring_security</cpe>
<cpe>cpe:/a:vmware:springsource_spring_security</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppress false positives per #3400 and #4597
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.cloud/spring\-cloud\-(common\-)?security.*$</packageUrl>
<cpe>cpe:/a:pivotal_software:spring_security</cpe>
<cpe>cpe:/a:vmware:spring_security</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per issue #1665, #3219, #4562.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring-security-rsa.*$</packageUrl>
<cpe>cpe:/a:pivotal:spring_security_oauth</cpe>
<cpe>cpe:/a:pivotal_software:spring_security</cpe>
<cpe>cpe:/a:vmware:spring_security</cpe>
<cpe>cpe:/a:vmware:springsource_spring_security</cpe>
<cpe>cpe:/a:security-framework_project:security-framework</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Spring Security JWT false positive.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring-security-jwt.*$</packageUrl>
<cpe>cpe:/a:vmware:springsource_spring_security</cpe>
<cpe>cpe:/a:vmware:spring_security</cpe>
<cpe>cpe:/a:pivotal_software:spring_security</cpe>
<cpe>cpe:/a:security-framework_project:security-framework</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per issue #1595
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring-security-jwt@.*$</packageUrl>
<cpe>cpe:/a:pivotal:spring_security_oauth</cpe>
<cpe>cpe:/a:pivotal_software:spring_security_oauth</cpe>
<cpe>cpe:/a:jwt_project:jwt</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4576; spring-security-saml2-core is an (end-of-life) extension project separate from spring-security https://github.com/spring-projects/spring-security-saml
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.security\.extensions/spring-security-saml2-core@.*$</packageUrl>
<cpe>cpe:/a:saml_project:saml</cpe>
<cpe>cpe:/a:vmware:spring_security</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per issue #1694.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.security\.extensions/spring-security-saml.*$</packageUrl>
<cpe>cpe:/a:pivotal_software:spring_security</cpe>
<cpe>cpe:/a:vmware:springsource_spring_security</cpe>
<cpe>cpe:/a:vmware:spring_security</cpe>
<cpe>cpe:/a:security-framework_project:security-framework</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per issue #2235, #4596, #4601
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.security\.kerberos/spring-security-kerberos.*$</packageUrl>
<cpe>cpe:/a:pivotal_software:spring_security</cpe>
<cpe>cpe:/a:vmware:springsource_spring_security</cpe>
<cpe>cpe:/a:vmware:spring_security</cpe>
<cpe>cpe:/a:security-framework_project:security-framework</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Supress false positives per issue #1872, #4577
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.security\.oauth/spring-security-oauth2@.*$</packageUrl>
<cpe>cpe:/a:pivotal_software:spring_security</cpe>
<cpe>cpe:/a:vmware:spring_security</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per #1566.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.security\.oauth\.boot/spring-security-oauth2-autoconfigure@.*$</packageUrl>
<cpe>cpe:/a:pivotal_software:spring_boot</cpe>
<cpe>cpe:/a:pivotal_software:spring_security</cpe>
<cpe>cpe:/a:vmware:spring_security</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per issue #1566
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.security\.oauth\.boot/spring-security-oauth2-autoconfigure@.*$</packageUrl>
<cpe>cpe:/a:pivotal_software:spring_security_oauth</cpe>
<cpe>cpe:/a:pivotal:spring_security_oauth</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
spring-session has a different version numbering than spring-core. See #1399
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.session/spring-session-(core|data-).*$</packageUrl>
<cpe>cpe:/a:pivotal_software:spring_security</cpe>
<cpe>cpe:/a:vmware:spring_security</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positive per #3068 on spring-session-hazelcast
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.session/spring\-session\-hazelcast@.*$</packageUrl>
<cpe>cpe:/a:hazelcast:hazelcast</cpe>
<cpe>cpe:/a:pivotal_software:spring_security</cpe>
<cpe>cpe:/a:vmware:spring_security</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #3811
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.ws/spring\-ws\-security@.*$</packageUrl>
<cpe>cpe:/a:vmware:spring_security</cpe>
<cpe>cpe:/a:pivotal_software:spring_security</cpe>
</suppress>
<!-- endregion -->
<!-- region Spring suppressions -->
<suppress base="true">
<notes><![CDATA[
FP per issues #4581, #4582
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.cloud/spring-cloud-dataflow-rest-.*$</packageUrl>
<cpe>cpe:/a:vmware:spring_data_rest</cpe>
<cpe>cpe:/a:pivotal_software:spring_data_rest</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2927 & #2931
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.cloud/spring\-cloud\-.*$</packageUrl>
<cpe>cpe:/a:vmware:cloud_foundation</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1721
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.batch/spring\-batch\-infrastructure@.*$</packageUrl>
<cpe>cpe:/a:vmware:infrastructure</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2498
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.boot/spring\-boot\-loader\-tools@.*$</packageUrl>
<cpe>cpe:/a:vmware:tools</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
This suppresses false positives identified on spring security.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring.*$</packageUrl>
<cpe>cpe:/a:mod_security:mod_security</cpe>
<cve>CVE-2018-1258</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per #1513. Spring-boot-starter-data-rest is not data-rest (however, it does
depend on spring-data-rest so the actual library will get flagged instead of the "boot" version
being flagged as spring-data-rest with the wrong version number)
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.boot/spring-boot-starter-data-rest@.*$</packageUrl>
<cpe>cpe:/a:pivotal_software:spring_data_rest</cpe>
<cpe>cpe:/a:pivotal_software:spring_boot</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per #1566, #3580 and #4617
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.boot/.*$</packageUrl>
<cpe>cpe:/a:vmware:spring_integration</cpe>
<cpe>cpe:/a:pivotal:spring_security_oauth</cpe>
<cpe>cpe:/a:pivotal_software:spring_security</cpe>
<cpe>cpe:/a:vmware:server</cpe>
<cpe>cpe:/a:vmware:spring_security</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #3216
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.batch/spring\-batch\-integration@.*$</packageUrl>
<cpe>cpe:/a:vmware:spring_integration</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #2070
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.boot/spring\-boot\-starter\-web\-services@.*$</packageUrl>
<cpe>cpe:/a:pivotal_software:spring_web_services</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1740
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.integration/(?!spring\-integration\-(ws|xml)).*$</packageUrl>
<cve>CVE-2019-3772</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
Spring data mongodb false positives.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.data/spring-data-mongodb.*$</packageUrl>
<cpe>cpe:/a:mongodb:mongodb</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Spring data neo4j false positives. Adapted to resolve #4598
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.(data|boot)/spring-(boot-starter-)?data-neo4j@.*$</packageUrl>
<cpe>cpe:/a:neo4j:neo4j</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Spring data solr false positives.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.data/spring-data-solr@.*$</packageUrl>
<cpe>cpe:/a:apache:solr</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Spring social facebook false positive.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.social/spring-social-facebook@.*$</packageUrl>
<cpe>cpe:/a:facebook:facebook</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positives per issue #1720
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.boot/spring\-boot\-starter\-batch@.*$</packageUrl>
<cpe>cpe:/a:pivotal_software:spring_batch</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positives per issue #642
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework/spring-context@.*$</packageUrl>
<cpe>cpe:/a:context_project:context</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per issue #691
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.boot/spring-boot-starter-data-jpa@.*$</packageUrl>
<cve>CVE-2016-6652</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per issue #700 and #3579
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.cloud/spring-cloud-.*$</packageUrl>
<cpe>cpe:/a:context_project:context</cpe>
<cpe>cpe:/a:pivotal_software:spring_batch</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per issue #838
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.boot/.*$</packageUrl>
<cpe>cpe:/a:pivotal_software:spring_data_jpa</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
spring boot mongo FP per issue #1067, #4641
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.boot/spring-boot-starter-data-mongodb.*@.*$</packageUrl>
<cpe>cpe:/a:mongodb:mongodb</cpe>
<cpe>cpe:/a:vmware:spring_data_mongodb</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: spring-boot-starter-amqp-2.5.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.boot/spring\-boot\-starter\-amqp@.*$</packageUrl>
<cpe>cpe:/a:pivotal_software:rabbitmq</cpe>
<cpe>cpe:/a:pivotal_software:spring_boot</cpe>
<cpe>cpe:/a:vmware:rabbitmq</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
spring ldap cleanup per issue #1060
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.ldap/spring-ldap-core@.*$</packageUrl>
<cpe>cpe:/a:net-ldap_project:net-ldap</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
spring-cloud-kubernetes-fabric8-autoconfig is part of spring cloud kubernetes, not spring cloud config #3098, #4038
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.cloud/spring\-cloud\-(starter\-)?kubernetes\-fabric8\-(auto)?config@.*$</packageUrl>
<cpe>cpe:/a:vmware:spring_cloud_config</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
spring-cloud-deployer-* false CPE matches discovered in handling #3579
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.cloud/spring\-cloud\-deployer\-.*$</packageUrl>
<cpe>cpe:/a:vmware:spring_cloud_config</cpe>
<cpe>cpe:/a:vmware:spring_cloud_data_flow</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4152
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.cloud/spring-cloud-kubernetes-fabric8-config@.*$</packageUrl>
<cpe>cpe:/a:vmware:spring_cloud_config</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4509; Issue is in spring-web and will only be fixed by Spring in their next major release.
So suppressing it for the spring-framework components other than spring-web is an appropriate
exception to the basic policy of not micromanaging spring_framework vulnerabilities by library
in our suppressions.
https://github.com/spring-projects/spring-framework/issues/25379 (deprecation only in current 5.x versions)
https://github.com/spring-projects/spring-framework/commit/5822f1bf85b94fd15f9829914b065b1c61910c7d (removal in 6.0.0-M1)
]]></notes>
<packageUrl regex="true">^pkg:maven/(?!org\.springframework/spring\-web@).*$</packageUrl>
<cve>CVE-2016-1000027</cve>
</suppress>
<!-- endregion -->
<suppress base="true">
<notes><![CDATA[
FP per issue #4671, CVEs for Python pet projects
]]></notes>
<packageUrl regex="true">^.*$</packageUrl>
<cve>CVE-2022-31504</cve>
<cve>CVE-2022-31505</cve>
<cve>CVE-2022-31509</cve>
<cve>CVE-2022-31510</cve>
<cve>CVE-2022-31511</cve>
<cve>CVE-2022-31512</cve>
<cve>CVE-2022-31513</cve>
<cve>CVE-2022-31514</cve>
<cve>CVE-2022-31515</cve>
<cve>CVE-2022-31516</cve>
<cve>CVE-2022-31518</cve>
<cve>CVE-2022-31520</cve>
<cve>CVE-2022-31521</cve>
<cve>CVE-2022-31526</cve>
<cve>CVE-2022-31527</cve>
<cve>CVE-2022-31528</cve>
<cve>CVE-2022-31532</cve>
<cve>CVE-2022-31533</cve>
<cve>CVE-2022-31534</cve>
<cve>CVE-2022-31535</cve>
<cve>CVE-2022-31536</cve>
<cve>CVE-2022-31537</cve>
<cve>CVE-2022-31538</cve>
<cve>CVE-2022-31540</cve>
<cve>CVE-2022-31544</cve>
<cve>CVE-2022-31545</cve>
<cve>CVE-2022-31546</cve>
<cve>CVE-2022-31547</cve>
<cve>CVE-2022-31548</cve>
<cve>CVE-2022-31551</cve>
<cve>CVE-2022-31552</cve>
<cve>CVE-2022-31553</cve>
<cve>CVE-2022-31554</cve>
<cve>CVE-2022-31555</cve>
<cve>CVE-2022-31556</cve>
<cve>CVE-2022-31557</cve>
<cve>CVE-2022-31559</cve>
<cve>CVE-2022-31560</cve>
<cve>CVE-2022-31561</cve>
<cve>CVE-2022-31562</cve>
<cve>CVE-2022-31563</cve>
<cve>CVE-2022-31564</cve>
<cve>CVE-2022-31565</cve>
<cve>CVE-2022-31566</cve>
<cve>CVE-2022-31567</cve>
<cve>CVE-2022-31568</cve>
<cve>CVE-2022-31570</cve>
<cve>CVE-2022-31571</cve>
<cve>CVE-2022-31572</cve>
<cve>CVE-2022-31574</cve>
<cve>CVE-2022-31575</cve>
<cve>CVE-2022-31576</cve>
<cve>CVE-2022-31577</cve>
<cve>CVE-2022-31578</cve>
<cve>CVE-2022-31579</cve>
<cve>CVE-2022-31582</cve>
<cve>CVE-2022-31583</cve>
<cve>CVE-2022-31585</cve>
<cve>CVE-2022-31587</cve>
<cve>CVE-2022-31588</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP because cpe make reference to IonicaBizau/parse-url dependency
]]></notes>
<packageUrl regex="true">^pkg:npm/parseurl@.*$</packageUrl>
<cpe>cpe:/a:parse-url_project:parse-url</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4648 and #4649
]]></notes>
<packageUrl regex="true">^pkg:maven/rubygems/jruby\-.*@.*$</packageUrl>
<cpe>cpe:/a:jruby:jruby</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4649
]]></notes>
<packageUrl regex="true">^pkg:maven/rubygems/jruby\-openssl@.*$</packageUrl>
<cpe>cpe:/a:openssl:openssl</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4852
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.graphql-java-kickstart/graphql-java-kickstart@.*$</packageUrl>
<cpe>cpe:/a:graphql-java_project:graphql-java</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4803
]]></notes>
<packageUrl regex="true">^pkg:maven/net\.sourceforge\.htmlunit/htmlunit-cssparser@.*$</packageUrl>
<cpe>cpe:/a:htmlunit_project:htmlunit</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4853
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.graphql-java-kickstart/graphql-java-servlet@.*$</packageUrl>
<cpe>cpe:/a:graphql-java_project:graphql-java</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4859
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.apollographql\.federation/federation-graphql-java-support@.*$</packageUrl>
<cpe>cpe:/a:graphql-java_project:graphql-java</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4851
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.graphql-java/graphql-java-extended-scalars@.*$</packageUrl>
<cpe>cpe:/a:graphql-java_project:graphql-java</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4860
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.apollographql\.federation/federation-graphql-java-support-api@.*$</packageUrl>
<cpe>cpe:/a:graphql-java_project:graphql-java</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4862
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.github\.graphql-java/graphql-java-annotations@.*$</packageUrl>
<cpe>cpe:/a:graphql-java_project:graphql-java</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4863
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.graphql-java/java-dataloader@.*$</packageUrl>
<cpe>cpe:/a:graphql-java_project:graphql-java</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4854
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.graphql-java-kickstart/graphql-java-tools@.*$</packageUrl>
<cpe>cpe:/a:graphql-java_project:graphql-java</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4806
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.vaadin\.addon/easyuploads@.*$</packageUrl>
<cpe>cpe:/a:vaadin:vaadin</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4790
]]></notes>
<packageUrl regex="true">^pkg:maven/ch\.qos\.logback/logback-classic@.*$</packageUrl>
<cpe>cpe:/a:qos:slf4j</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4781
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.eclipse\.microprofile\.config/microprofile-config-api@.*$</packageUrl>
<cpe>cpe:/a:payara:payara</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4777
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.james/apache-mime4j@.*$</packageUrl>
<cpe>cpe:/a:apache:james</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4755
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.postgresql/r2dbc-postgresql@.*$</packageUrl>
<cpe>cpe:/a:postgresql:postgresql</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4754
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.mockito/mockito-junit-jupiter@.*$</packageUrl>
<cpe>cpe:/a:junit:junit4</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4735
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.robolectric/junit@.*$</packageUrl>
<cpe>cpe:/a:junit:junit4</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4729
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.openhtmltopdf/openhtmltopdf-jsoup-dom-converter@.*$</packageUrl>
<cpe>cpe:/a:jsoup:jsoup</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4728
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.vladsch\.flexmark/flexmark-ext-xwiki-macros@.*$</packageUrl>
<cpe>cpe:/a:xwiki:xwiki</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4727
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.vladsch\.flexmark/flexmark-ext-macros@.*$</packageUrl>
<cpe>cpe:/a:processing:processing</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4726
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.jfrog\.artifactory\.client/artifactory-java-client-api@.*$</packageUrl>
<cpe>cpe:/a:jfrog:artifactory</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4897
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.jetbrains\.kotlin/kotlin-annotation-processing-gradle@.*$</packageUrl>
<cpe>cpe:/a:processing:processing</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4900
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.testcontainers/mysql@.*$</packageUrl>
<cpe>cpe:/a:mysql:mysql</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4899
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.mariadb/r2dbc-mariadb@.*$</packageUrl>
<cpe>cpe:/a:mariadb:mariadb</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4898
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.testcontainers/mariadb@.*$</packageUrl>
<cpe>cpe:/a:mariadb:mariadb</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4907
]]></notes>
<packageUrl regex="true">^pkg:maven/net\.minidev/accessors-smart@.*$</packageUrl>
<cpe>cpe:/a:json-smart_project:json-smart-v1</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4721
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.camel/camel-activemq@.*$</packageUrl>
<cpe>cpe:/a:apache:activemq</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4652
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.jruby\.rack/jruby-rack@.*$</packageUrl>
<cpe>cpe:/a:jruby:jruby</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4647
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.jruby/dirgra@.*$</packageUrl>
<cpe>cpe:/a:jruby:jruby</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4932
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.datasketches/datasketches-java@.*$</packageUrl>
<cpe>cpe:/a:sketch:sketch</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4962
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.github\.pagehelper/pagehelper-spring-boot-starter@.*$</packageUrl>
<cpe>cpe:/a:pagehelper_project:pagehelper</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue#4999
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.opentracing\.contrib/opentracing\-elasticsearch.*@.*$</packageUrl>
<cpe>cpe:/a:elasticsearch:elasticsearch</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4984
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.otaliastudios/zoomlayout@.*$</packageUrl>
<cpe>cpe:/a:zoom:zoom</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4953 regex to match both hive-spark-client and the historical spark-client artifactIds
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.hive/.*spark\-client@.*$</packageUrl>
<cpe>cpe:/a:apache:spark</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4951
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.twill/twill\-yarn@.*$</packageUrl>
<cpe>cpe:/a:apache:hadoop</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4950
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.ranger/ranger\-hive\-plugin@.*$</packageUrl>
<cpe>cpe:/a:apache:hive</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP CPE match per issue #4945
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.hive/hive\-hbase\-handler@.*$</packageUrl>
<cpe>cpe:/a:apache:hbase</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4943
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.hbase/hbase\-server@.*$</packageUrl>
<cpe>cpe:/a:apache:http_server</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #2575, #4820
]]></notes>
<packageUrl regex="true">^pkg:cocoapods/GoogleUtilities%2FAppDelegateSwizzler@.*$</packageUrl>
<cpe>cpe:/a:app_project:app</cpe>
<cpe>cpe:/a:delegate:delegate</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4737, adding two more false CPE matches that were not yet reported
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-oauth2\-authorization\-server@.*$</packageUrl>
<cpe>cpe:/a:pivotal:spring_security_oauth</cpe>
<cpe>cpe:/a:pivotal_software:spring_security</cpe>
<cpe>cpe:/a:pivotal_software:spring_security_oauth</cpe>
<cpe>cpe:/a:vmware:spring_security</cpe>
<cpe>cpe:/a:vmware:server</cpe>
<cpe>cpe:/a:vmware:vmware_server</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4667
]]></notes>
<packageUrl regex="true">^pkg:maven/tailrecursion/cljs\-priority\-map@.*$</packageUrl>
<cpe>cpe:/a:priority-software:priority</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4667
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.clojure/data\.priority\-map@.*$</packageUrl>
<cpe>cpe:/a:priority-software:priority</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue https://github.com/jeremylong/DependencyCheck/issues/5060
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.msgpack/.*@.*$</packageUrl>
<cpe>cpe:/a:messagepack_project:messagepack</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5038
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.locationtech\.spatial4j/spatial4j@.*$</packageUrl>
<cpe>cpe:/a:pro_search:pro_search</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5037
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.ko-sys\.av/airac@.*$</packageUrl>
<cpe>cpe:/a:keybase:keybase</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5027
]]></notes>
<packageUrl regex="true">^pkg:maven/software\.aws\.rds/aws-mysql-jdbc@.*$</packageUrl>
<cpe>cpe:/a:mysql:mysql</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5024
]]></notes>
<packageUrl regex="true">^pkg:maven/net\.openhft/chronicle-wire@.*$</packageUrl>
<cpe>cpe:/a:wire:wire</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5022
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.zendesk/mysql-binlog-connector-java@.*$</packageUrl>
<cpe>cpe:/a:mysql:mysql</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5021
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.debezium/debezium-connector-mysql@.*$</packageUrl>
<cpe>cpe:/a:mysql:mysql</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4944
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.hbase/hbase-zookeeper@.*$</packageUrl>
<cpe>cpe:/a:apache:zookeeper</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4949
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.curioswitch\.curiostack/protobuf-jackson@.*$</packageUrl>
<cpe>cpe:/a:grpc:grpc</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5014
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.ejbca\.cvc/cert-cvc@.*$</packageUrl>
<cpe>cpe:/a:primekey:ejbca</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4952
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.twill/twill-zookeeper@.*$</packageUrl>
<cpe>cpe:/a:apache:zookeeper</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4948
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.opentracing\.contrib/opentracing-grpc@.*$</packageUrl>
<cpe>cpe:/a:grpc:grpc</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4947
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.pf4j/pf4j@.*$</packageUrl>
<cpe>cpe:/a:sonatype:nexus</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4946
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.iceberg/iceberg-hive-metastore@.*$</packageUrl>
<cpe>cpe:/a:apache:hive</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4942
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.hbase/hbase-hadoop-compat@.*$</packageUrl>
<cpe>cpe:/a:apache:hadoop</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4941
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.flink/flink-rpc-akka-loader@.*$</packageUrl>
<cpe>cpe:/a:akka:akka</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4940
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.flink/flink-hadoop-fs@.*$</packageUrl>
<cpe>cpe:/a:apache:hadoop</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4931
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.azure\.resourcemanager/azure-resourcemanager-appplatform@.*$</packageUrl>
<cpe>cpe:/a:microsoft:platform_sdk</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4720
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.clojure/data\.priority-map@.*$</packageUrl>
<cpe>cpe:/a:priority-software:priority</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4693
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.zipkin\.reporter2/zipkin-reporter@.*$</packageUrl>
<cpe>cpe:/a:pki-core_project:pki-core</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4692
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.zipkin\.zipkin2/zipkin@.*$</packageUrl>
<cpe>cpe:/a:pki-core_project:pki-core</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4669
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.junit\.jupiter/junit-jupiter-engine@.*$</packageUrl>
<cpe>cpe:/a:fan_platform_project:fan_platform</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5017
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.google\.api\.grpc/grpc-google-iam-v1@.*$</packageUrl>
<cpe>cpe:/a:grpc:grpc</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4681
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.amazonaws/aws-java-sdk-prometheus@.*$</packageUrl>
<cpe>cpe:/a:prometheus:prometheus</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5089
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.quarkus/quarkus\-keycloak\-authorization@.*$</packageUrl>
<cpe>cpe:/a:keycloak:keycloak</cpe>
<cpe>cpe:/a:redhat:keycloak</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5121 - fix for commons
]]></notes>
<packageUrl regex="true">^(?!pkg:maven/commons-net/commons-net).*$</packageUrl>
<cpe>cpe:/a:apache:commons_net</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5083
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.github\.pagehelper/pagehelper-spring-boot-autoconfigure@.*$</packageUrl>
<cpe>cpe:/a:pagehelper_project:pagehelper</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4651
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.hibernate/hibernate-commons-annotations@.*$</packageUrl>
<cpe>cpe:/a:hibernate:hibernate_orm</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5097
]]></notes>
<packageUrl regex="true">^pkg:maven/software\.aws\.rds/aws-mysql-jdbc@.*$</packageUrl>
<cpe>cpe:/a:mariadb:mariadb</cpe>
<cpe>cpe:/a:mysql:mysql</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5108
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.jfrog\.artifactory\.client/artifactory-java-client-httpClient@.*$</packageUrl>
<cpe>cpe:/a:jfrog:artifactory</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5107
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.opentracing\.contrib/opentracing-apache-httpclient@.*$</packageUrl>
<cpe>cpe:/a:apache:httpclient</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4621
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.codehaus\.jackson/jackson-xc@.*$</packageUrl>
<cpe>cpe:/a:fasterxml:jackson-databind</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #5118
]]></notes>
<sha1>5b8f86fea035328fc9e8c660773037a3401ce25f</sha1>
<cpe regex="true">.*</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4575
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.wildfly\.wildfly-http-client/wildfly-http-ejb-client@.*$</packageUrl>
<cpe>cpe:/a:redhat:jboss-ejb-client</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5131
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.zipkin\.zipkin2/zipkin-collector@.*$</packageUrl>
<cpe>cpe:/a:pki-core_project:pki-core</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5162
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.jgroups\.kubernetes/jgroups-kubernetes@.*$</packageUrl>
<cpe>cpe:/a:redhat:jgroups</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5171
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.james/queue-activemq-guice@.*$</packageUrl>
<cpe>cpe:/a:apache:activemq</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5172
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.projectreactor\.rabbitmq/reactor-rabbitmq@.*$</packageUrl>
<cpe>cpe:/a:vmware:rabbitmq</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5170
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.james/james-server-queue-activemq@.*$</packageUrl>
<cpe>cpe:/a:apache:activemq</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5168
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.james/apache-jsieve-core@.*$</packageUrl>
<cpe>cpe:/a:apache:james</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5213, CVEs for scripting pet projects
]]></notes>
<packageUrl regex="true">^.*$</packageUrl>
<cve>CVE-2021-4277</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5169
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.google\.crypto\.tink/apps-webpush@.*$</packageUrl>
<cpe>cpe:/a:google:google_apps</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5212
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.github\.java-json-tools/json-patch@.*$</packageUrl>
<cpe>cpe:/a:json-patch_project:json-patch</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5217
]]></notes>
<packageUrl regex="true">^pkg:maven/net\.pwall\.json/json-pointer@.*$</packageUrl>
<cpe>cpe:/a:json-pointer_project:json-pointer</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5275
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.graphql-java-kickstart/graphql-spring-boot-starter@.*$</packageUrl>
<cpe>cpe:/a:graphql-java_project:graphql-java</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5276
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.hadoop\.thirdparty/hadoop-shaded-guava@.*$</packageUrl>
<cpe>cpe:/a:apache:hadoop</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5278
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.datastax\.oss/native-protocol@.*$</packageUrl>
<cpe>cpe:/a:apache:cassandra</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5280
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.camel/camel-ftp@.*$</packageUrl>
<cpe>cpe:/a:ftp_project:ftp</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5253
]]></notes>
<packageUrl regex="true">^pkg:npm/jsonpointer@.*$</packageUrl>
<cpe>cpe:/a:json-pointer_project:json-pointer</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5252
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.google\.flatbuffers/flatbuffers-java@.*$</packageUrl>
<cpe>cpe:/a:flat_project:flat</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issues #5321, #5322, #5323, #5324
]]></notes>
<packageUrl regex="true">^pkg:maven/me\.dinowernli/java\-grpc\-prometheus@.*$</packageUrl>
<cpe>cpe:/a:grpc:grpc</cpe>
<cpe>cpe:/a:prometheus:prometheus</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5370
colon before version is needed to avoid also matching cpe:/a:redhat:wildfly_openssl
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.wildfly\.openssl/.*$</packageUrl>
<cpe>cpe:/a:redhat:wildfly:</cpe>
<cpe>cpe:/a:wildfly:wildfly:</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5367
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.graphql\-java\-kickstart/.*$</packageUrl>
<cpe>cpe:/a:graphql-java_project:graphql-java</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5334
]]></notes>
<packageUrl regex="true">^pkg:pypi/.*docker.*$</packageUrl>
<cpe>cpe:/a:docker:docker</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1673 #3829 #4129 #4135 #4310 #4327 #4653 #5290 #5287
Broadly suppress eclipse_ide for anything outside of the org.eclipse.platform groupIds
]]></notes>
<packageUrl regex="true">^(?!pkg:maven/org.eclipse.platform).+$</packageUrl>
<cpe>cpe:/a:eclipse:eclipse_ide</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
suppress various improper matches to the CPE that belongs only to pkg:maven/org.json/json
FP per #5502
]]></notes>
<packageUrl regex="true">^(?!pkg:maven/org\.json/json@).+$</packageUrl>
<cpe>cpe:/a:json-java_project:json-java</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
suppress various improper matches to the CPE that belongs only to pkg:npm/flat
FP per #5454
]]></notes>
<packageUrl regex="true">^(?!pkg:npm/flat@).+$</packageUrl>
<cpe>cpe:/a:flat_project:flat</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5489, make sure to include all apacha calcite-avatica modules
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.calcite\.avatica/.*$</packageUrl>
<cpe>cpe:/a:apache:calcite:</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5381, apollo_project:apollo is a PHP project unrelated to apollographql
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.apollographql\.apollo/.*$</packageUrl>
<cpe>cpe:/a:apollo_project:apollo</cpe>
</suppress>
<!-- generated suppressions added to main in 8.1.1 -->
<suppress base="true">
<notes><![CDATA[
FP per issue #5333
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.graphql-java-kickstart/graphql-kickstart-spring-support@.*$</packageUrl>
<cpe>cpe:/a:graphql-java_project:graphql-java</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5336
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.openrewrite\.recipe/rewrite-jhipster@.*$</packageUrl>
<cpe>cpe:/a:jhipster:jhipster</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5361
]]></notes>
<packageUrl regex="true">^pkg:maven/jakarta\.resource/jakarta\.resource-api@.*$</packageUrl>
<cpe>cpe:/a:payara:payara</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5373
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.locationtech\.spatial4j/spatial4j@.*$</packageUrl>
<cpe>cpe:/a:voyager_project:voyager</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5372
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.locationtech\.spatial4j/spatial4j@.*$</packageUrl>
<cpe>cpe:/a:smiley_project:smiley</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5380
]]></notes>
<packageUrl regex="true">^pkg:maven/dev\.ludovic\.netlib/lapack@.*$</packageUrl>
<cpe>cpe:/a:lapack_project:lapack</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5375
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.eclipse\.microprofile\.jwt/microprofile-jwt-auth-api@.*$</packageUrl>
<cpe>cpe:/a:payara:payara</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5368
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.hadoop\.thirdparty/hadoop-shaded-protobuf_3_7@.*$</packageUrl>
<cpe>cpe:/a:apache:hadoop</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5325
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.enterprisedt/edtFTPj@.*$</packageUrl>
<cpe>cpe:/a:ftp_project:ftp</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5436
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.codehaus\.woodstox/stax2-api@.*$</packageUrl>
<cpe>cpe:/a:fasterxml:woodstox</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5459
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.oracle\.database\.nls/orai18n@.*$</packageUrl>
<cpe>cpe:/a:oracle:database</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5460
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.oracle\.database\.nls/orai18n@.*$</packageUrl>
<cpe>cpe:/a:oracle:oracle_database</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5501
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.jsonschema2pojo/jsonschema2pojo-jdk-annotation@.*$</packageUrl>
<cpe>cpe:/a:json-schema_project:json-schema</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5500
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.iceberg/iceberg-orc@.*$</packageUrl>
<cpe>cpe:/a:apache:orc</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5499
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.iceberg/iceberg-flink-1\.15@.*$</packageUrl>
<cpe>cpe:/a:apache:flink</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5498
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.googlecode\.javaewah/JavaEWAH@.*$</packageUrl>
<cpe>cpe:/a:google:google_search</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5497
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.google\.cloud/grpc-gcp@.*$</packageUrl>
<cpe>cpe:/a:grpc:grpc</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5496
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.flink/flink-s3-fs-hadoop@.*$</packageUrl>
<cpe>cpe:/a:apache:hadoop</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5492
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.microsoft\.azure/azure-cosmosdb-direct@.*$</packageUrl>
<cpe>cpe:/a:microsoft:platform_sdk</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5491
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.microsoft\.azure/azure-cosmosdb@.*$</packageUrl>
<cpe>cpe:/a:www-sql_project:www-sql</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5490
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.microsoft\.azure/azure-cosmosdb@.*$</packageUrl>
<cpe>cpe:/a:async_project:async</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5471
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.spark/spark-token-provider-kafka-0-10_2\.12@.*$</packageUrl>
<cpe>cpe:/a:apache:kafka</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5462
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.ws\.commons\.axiom/axiom-impl@.*$</packageUrl>
<cpe>cpe:/a:web_project:web</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5461
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.github\.luben/zstd-jni@.*$</packageUrl>
<cpe>cpe:/a:freebsd:freebsd</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5506
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.kamon/kamon-prometheus_2\.13@.*$</packageUrl>
<cpe>cpe:/a:prometheus:prometheus</cpe>
</suppress>
<!-- begin generated suppressions added to main in 8.4.0 -->
<suppress base="true">
<notes><![CDATA[
FP per issue #5529
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.github\.dasniko/testcontainers-keycloak@.*$</packageUrl>
<cpe>cpe:/a:keycloak:keycloak</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5540
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.kerby/zookeeper-backend@.*$</packageUrl>
<cpe>cpe:/a:apache:zookeeper</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5593
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.camel\.springboot/camel-ftp-starter@.*$</packageUrl>
<cpe>cpe:/a:ftp_project:ftp</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5592
]]></notes>
<packageUrl regex="true">^pkg:maven/javax\.resource/connector@.*$</packageUrl>
<cpe>cpe:/a:sun:j2ee</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5615
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.cloud/spring-cloud-sleuth-autoconfigure@.*$</packageUrl>
<cpe>cpe:/a:vmware:spring_cloud_config</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5618
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.jfrog\.artifactory\.client/artifactory-java-client-services@.*$</packageUrl>
<cpe>cpe:/a:jfrog:artifactory</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5622
]]></notes>
<packageUrl regex="true">^pkg:maven/net\.minidev/accessors-smart@.*$</packageUrl>
<cpe>cpe:/a:json-smart_project:json-smart</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5629
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.integration/spring-integration-ftp@.*$</packageUrl>
<cpe>cpe:/a:vmware:spring_integration</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5636
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.graphql-java/graphql-java-extended-scalars@.*$</packageUrl>
<cpe>cpe:/a:graphql-java:graphql-java</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5639
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.graphql-java-kickstart/graphql-java-tools@.*$</packageUrl>
<cpe>cpe:/a:graphql-java:graphql-java</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5638
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.graphql-java-kickstart/graphql-java-servlet@.*$</packageUrl>
<cpe>cpe:/a:graphql-java:graphql-java</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5637
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.graphql-java-kickstart/graphql-java-kickstart@.*$</packageUrl>
<cpe>cpe:/a:graphql-java:graphql-java</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5657
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.graphql-java-kickstart/graphql-kickstart-spring-support@.*$</packageUrl>
<cpe>cpe:/a:graphql-java:graphql-java</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5685
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.bouncycastle/bcpg-jdk15on@.*$</packageUrl>
<cpe>cpe:/a:open_cas_project:open_cas</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5700
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.jboss\.resteasy\.microprofile/microprofile-config@.*$</packageUrl>
<cpe>cpe:/a:redhat:resteasy</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5684
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.ignite/ignite-log4j2@.*$</packageUrl>
<cpe>cpe:/a:apache:log4j</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5704
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.directory\.api/api-ldap-net-mina@.*$</packageUrl>
<cpe>cpe:/a:apache:mina</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5719
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.graphql-java-kickstart/graphql-webclient@.*$</packageUrl>
<cpe>cpe:/a:graphql-java:graphql-java</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5727
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.quarkiverse\.openapi\.generator/quarkus-openapi-generator@.*$</packageUrl>
<cpe>cpe:/a:openapi-generator:openapi_generator</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5737
]]></notes>
<packageUrl regex="true">^pkg:nuget/MagicFileEncoding@.*$</packageUrl>
<cpe>cpe:/a:file_project:file</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5736
]]></notes>
<packageUrl regex="true">^pkg:nuget/FluentFTP@.*$</packageUrl>
<cpe>cpe:/a:ftp:ftp</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5734
]]></notes>
<packageUrl regex="true">^pkg:nuget/KubernetesClient@.*$</packageUrl>
<cpe>cpe:/a:kubernetes:kubernetes</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5742
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.sling/org\.apache\.sling\.commons\.johnzon@.*$</packageUrl>
<cpe>cpe:/a:apache:sling_commons_json</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5749
]]></notes>
<packageUrl regex="true">^pkg:nuget/AspNetCoreRateLimit\.Redis@.*$</packageUrl>
<cpe>cpe:/a:asp-project:asp-project</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5754 #6441
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.swagger\.parser\.v3/swagger-parser-safe-url-resolver@.*$</packageUrl>
<cpe>cpe:/a:parse-url_project:</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5762
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.jruby/jzlib@.*$</packageUrl>
<cpe>cpe:/a:jruby:jruby</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5753
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.bazaarvoice\.jolt/json-utils@.*$</packageUrl>
<cpe>cpe:/a:utils_project:utils</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5765
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.integration/spring-integration-ftp@.*$</packageUrl>
<cpe>cpe:/a:ftp_project:ftp</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5766
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.mockftpserver/MockFtpServer@.*$</packageUrl>
<cpe>cpe:/a:ftp_project:ftp</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5770
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.sun\.xml\.bind\.jaxb/isorelax@.*$</packageUrl>
<cpe>cpe:/a:xml_library_project:xml_library</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5772 - taking into account same FP-risk for other RestEasy microprofile libraries
retain this one and remove the following FP-automation suppression rule when merging into bundled
suppressions
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.jboss\.resteasy\.microprofile/.*$</packageUrl>
<cpe>cpe:/a:redhat:resteasy</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5772
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.jboss\.resteasy\.microprofile/microprofile-rest-client@.*$</packageUrl>
<cpe>cpe:/a:redhat:resteasy</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5774
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.sling/org\.apache\.sling\.commons\.osgi@.*$</packageUrl>
<cpe>cpe:/a:apache:sling</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5785
]]></notes>
<packageUrl regex="true">^pkg:maven/cloud\.localstack/localstack-utils@.*$</packageUrl>
<cpe>cpe:/a:utils_project:utils</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5788
]]></notes>
<packageUrl regex="true">^pkg:nuget/Minio\.AspNetCore@.*$</packageUrl>
<cpe>cpe:/a:minio:minio</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5781
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl>
<cpe>cpe:/a:apache:thrift</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5777
]]></notes>
<packageUrl regex="true">^pkg:nuget/RazorEngine\.NetCore@.*$</packageUrl>
<cpe>cpe:/a:razorengine_project:razorengine</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5648
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.github\.graphql-java/graphql-java-annotations@.*$</packageUrl>
<cpe>cpe:/a:graphql-java:graphql-java</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5643
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.graphql-java-kickstart/graphql-spring-boot-starter@.*$</packageUrl>
<cpe>cpe:/a:graphql-java:graphql-java</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5641
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.graphql-java/java-dataloader@.*$</packageUrl>
<cpe>cpe:/a:graphql-java:graphql-java</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5647
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.apollographql\.federation/federation-graphql-java-support-api@.*$</packageUrl>
<cpe>cpe:/a:graphql-java:graphql-java</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5646
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.apollographql\.federation/federation-graphql-java-support@.*$</packageUrl>
<cpe>cpe:/a:graphql-java:graphql-java</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5543
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.cxf/cxf-rt-bindings-soap@.*$</packageUrl>
<cpe>cpe:/a:apache:soap</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5796
]]></notes>
<packageUrl regex="true">^pkg:nuget/Microsoft\.Win32\.SystemEvents@.*$</packageUrl>
<cpe>cpe:/a:events_project:events</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
hand-curated better suppression for FP per issue #5797
]]></notes>
<packageUrl regex="true">^(?!pkg:maven/net\.pwall\.json/jsonutil).*$</packageUrl>
<cpe>cpe:/a:jsonutil_project:jsonutil</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
hand-curated better FP suppression rule for issue #5794
to be replacing the autmatic FP-OPS flow suppression that will follow behind it when taking it over to the
bundled suppression-file
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.apollographql\.apollo3/.*$</packageUrl>
<cpe>cpe:/a:apollo_project:apollo</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5794
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.apollographql\.apollo3/apollo-annotations-jvm@.*$</packageUrl>
<cpe>cpe:/a:apollo_project:apollo</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5802
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.itextpdf\.licensing/licensing-base@.*$</packageUrl>
<cpe>cpe:/a:itextpdf:itext</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5803
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.itextpdf\.licensing/licensing-remote@.*$</packageUrl>
<cpe>cpe:/a:itextpdf:itext</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5821
]]></notes>
<packageUrl regex="true">^pkg:npm/wordwrap@.*$</packageUrl>
<cpe>cpe:/a:word-wrap_project:word-wrap</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5829
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.exactpro\.th2/netty-bytebuf-utils@.*$</packageUrl>
<cpe>cpe:/a:utils_project:utils</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5830
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.github\.detekt\.sarif4k/sarif4k-jvm@.*$</packageUrl>
<cpe>cpe:/a:detekt:detekt</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5843
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.avro/avro@.*$</packageUrl>
<cpe>cpe:/a:avro_project:avro</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5846
]]></notes>
<packageUrl regex="true">^pkg:maven/commons-logging/commons-logging@.*$</packageUrl>
<cpe>cpe:/a:morgan_project:morgan</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5854
akka-grpc libraries are neither part of the akka actor system nor gRPC
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.lightbend\.akka\.grpc/.*$</packageUrl>
<cpe>cpe:/a:akka:akka</cpe>
<cpe>cpe:/a:lightbend:akka</cpe>
<cpe>cpe:/a:grpc:grpc</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5855; akka-persistence-r2dbc is not part of the akka actor system projects
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.lightbend\.akka/akka-persistence-r2dbc.*$</packageUrl>
<cpe>cpe:/a:akka:akka</cpe>
<cpe>cpe:/a:lightbend:akka</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issues #5857, #5856; akka-projection projects are not part of the akka actor system projects
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.lightbend\.akka/akka-projection-.*$</packageUrl>
<cpe>cpe:/a:akka:akka</cpe>
<cpe>cpe:/a:lightbend:akka</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5857; akka-projection-grpc is not grpc itself
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.lightbend\.akka/akka-projection-grpc.*$</packageUrl>
<cpe>cpe:/a:grpc:grpc</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Optimized suppression for FP per issue #5859
The suppression following this for the same FP issue from FP-report automation bot
can be discarded when bringing the suppressions into the package suppressions file.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.jackrabbit/oak-.*$</packageUrl>
<cpe>cpe:/a:apache:jackrabbit</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5859
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.jackrabbit/oak-core@.*$</packageUrl>
<cpe>cpe:/a:apache:jackrabbit</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5860
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.vaadin/vaadin-swing-kit-flow@.*$</packageUrl>
<cpe>cpe:/a:vaadin:flow</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5864
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.sling/org\.apache\.sling\.commons\.johnzon@.*$</packageUrl>
<cpe>cpe:/a:apache:sling</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5879
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.netty\.incubator/netty-incubator-codec-classes-quic@.*$</packageUrl>
<cpe>cpe:/a:quic_project:quic</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5883
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.geronimo\.specs/geronimo-saaj_1\.3_spec@.*$</packageUrl>
<cpe>cpe:/a:apache:soap</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5880
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.ops4j\.pax\.logging/pax-logging-log4j2@.*$</packageUrl>
<cpe>cpe:/a:apache:log4j</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5888
]]></notes>
<packageUrl regex="true">^pkg:maven/software\.amazon\.awssdk\.crt/aws-crt@.*$</packageUrl>
<cpe>cpe:/a:amazon:aws-sdk-java</cpe>
</suppress>
<!-- end generated suppressions added to main in 8.4.0 -->
<suppress base="true">
<notes><![CDATA[
FP per #4321
]]></notes>
<packageUrl regex="true">^pkg:(pypi/redis|generic/Microsoft\.Extensions\.Caching\.StackExchangeRedis|generic/HealthChecks\.Redis)@.*$</packageUrl>
<cve>CVE-2021-32626</cve>
<cve>CVE-2021-32627</cve>
<cve>CVE-2021-32628</cve>
<cve>CVE-2021-32675</cve>
<cve>CVE-2021-32687</cve>
<cve>CVE-2021-32762</cve>
<cve>CVE-2021-41099</cve>
<cve>CVE-2022-24735</cve>
<cve>CVE-2022-24834</cve>
<cve>CVE-2021-31294</cve>
<cve>CVE-2021-32672</cve>
<cve>CVE-2022-24736</cve>
<cve>CVE-2022-36021</cve>
<cve>CVE-2023-25155</cve>
<cve>CVE-2023-28856</cve>
</suppress>
<!-- generated suppression 8.4.0 up to 9.1.0 -->
<suppress base="true">
<notes><![CDATA[
FP per issue #5904
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.adobe\.cq/core\.wcm\.components\.core@.*$</packageUrl>
<cpe>cpe:/a:adobe:download_manager</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5905
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.adobe\.cq/core\.wcm\.components\.core@.*$</packageUrl>
<cpe>cpe:/a:adobe:experience_manager</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5906
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.adobe\.cq/core\.wcm\.components\.core@.*$</packageUrl>
<cpe>cpe:/a:adobe:experience_manager_forms</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5908
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.adobe\.cq/core\.wcm\.components\.core@.*$</packageUrl>
<cpe>cpe:/a:adobe:form_client</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5909
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.adobe\.cq/core\.wcm\.components\.core@.*$</packageUrl>
<cpe>cpe:/a:list_site_pro:list_site_pro</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5910
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.adobe\.cq/core\.wcm\.components\.core@.*$</packageUrl>
<cpe>cpe:/a:oembed_project:oembed</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5911
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.adobe\.cq/core\.wcm\.components\.core@.*$</packageUrl>
<cpe>cpe:/a:xml_library_project:xml_library</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5916
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.plugin/spring-plugin-core@.*$</packageUrl>
<cpe>cpe:/a:vmware:spring</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5915 - suppress the CVE only to avoid clash when cpe:/a:vmware:spring were to get broader use
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework(?!\.kafka).*$</packageUrl>
<cve>CVE-2023-34040</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5932
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.logback-extensions/logback-ext-spring@.*$</packageUrl>
<cpe>cpe:/a:qos:logback</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5948
]]></notes>
<packageUrl regex="true">^pkg:npm/mysql@.*$</packageUrl>
<cpe>cpe:/a:mysql:mysql</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5913
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.projectreactor\.netty\.incubator/reactor-netty-incubator-quic@.*$</packageUrl>
<cpe>cpe:/a:quic_project:quic</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5958
]]></notes>
<packageUrl regex="true">^pkg:maven/net\.rossillo\.mvc\.cache/spring-mvc-cache-control@.*$</packageUrl>
<cpe>cpe:/a:spring:spring</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5961
]]></notes>
<packageUrl regex="true">^pkg:maven/ch\.qos\.logback\.contrib/logback-json-core@.*$</packageUrl>
<cpe>cpe:/a:json-c:json-c</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5956
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.netty\.incubator/netty-incubator-codec-native-quic@.*$</packageUrl>
<cpe>cpe:/a:quic_project:quic</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5966
]]></notes>
<packageUrl regex="true">^pkg:maven/ch\.qos\.logback\.contrib/logback-json-classic@.*$</packageUrl>
<cpe>cpe:/a:json-c:json-c</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5953
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.asyncer/r2dbc-mysql@.*$</packageUrl>
<cpe>cpe:/a:mysql:mysql</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5968
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.netty\.incubator/netty-incubator-codec-native-quic@.*$</packageUrl>
<cpe>cpe:/a:chromium_project:chromium</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5967
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.netty\.incubator/netty-incubator-codec-native-quic@.*$</packageUrl>
<cpe>cpe:/a:chromium:chromium</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5939
]]></notes>
<packageUrl regex="true">^pkg:maven/xalan/xalan@.*$</packageUrl>
<cpe>cpe:/a:apache:commons_bcel</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #6088
]]></notes>
<packageUrl regex="true">^pkg:nuget/CommandLineParser@.*$</packageUrl>
<cpe>cpe:/a:line:line</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #6056
]]></notes>
<packageUrl regex="true">^pkg:nuget/Serilog\.Sinks\.Async@.*$</packageUrl>
<cpe>cpe:/a:async_project:async</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #6041
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.flywaydb/flyway-database-postgresql@.*$</packageUrl>
<cpe>cpe:/a:postgresql:postgresql</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #6038
]]></notes>
<packageUrl regex="true">^pkg:maven/net\.lbruun\.springboot/preliquibase-spring-boot-starter@.*$</packageUrl>
<cpe>cpe:/a:liquibase:liquibase</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #6138 and #6139
]]></notes>
<packageUrl regex="true">^pkg:maven/rubygems/.*@.*$</packageUrl>
<cpe>cpe:/a:rubygems:rubygems</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #6170
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.parquet/parquet-avro@.*$</packageUrl>
<cpe>cpe:/a:apache:avro</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #6169
]]></notes>
<packageUrl regex="true">^pkg:maven/commons-net/commons-net@.*$</packageUrl>
<cpe>cpe:/a:ftp_project:ftp</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #6313
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.camel/camel-reactive-executor-tomcat@.*$</packageUrl>
<cpe>cpe:/a:apache_tomcat:apache_tomcat</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #6286
]]></notes>
<packageUrl regex="true">^pkg:maven/info\.picocli/picocli@.*$</packageUrl>
<cpe>cpe:/a:line:line</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #6242
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.jruby\.rack/jruby-rack@.*$</packageUrl>
<cpe>cpe:/a:rack_project:rack</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #6199
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.r2dbc/r2dbc-mssql@.*$</packageUrl>
<cpe>cpe:/a:microsoft:sql_server</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #6031
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.thymeleaf\.extras/thymeleaf-extras-java8time@.*$</packageUrl>
<cpe>cpe:/a:thymeleaf:thymeleaf</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #6340
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.idealista/format-preserving-encryption@.*$</packageUrl>
<cpe>cpe:/a:vega_project:vega</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #6367
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.keycloak/keycloak-model-infinispan@.*$</packageUrl>
<cpe>cpe:/a:infinispan:infinispan</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #6369
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.wildfly\.security\.elytron-web/undertow-server@.*$</packageUrl>
<cpe>cpe:/a:web_project:web</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #6368
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.jgroups\.azure/jgroups-azure@.*$</packageUrl>
<cpe>cpe:/a:redhat:jgroups</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #6459
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.bornium/oauth2-openid@.*$</packageUrl>
<cpe>cpe:/a:openid:openid</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #6460
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.hsqldb/hsqldb@.*$</packageUrl>
<cpe>cpe:/a:hyper:hyper</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #6421
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.swagger/swagger-parser-safe-url-resolver@.*$</packageUrl>
<cpe>cpe:/a:parse-url_project:parse-url</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #6408
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.jboss\.activemq\.artemis\.integration/artemis-wildfly-integration@.*$</packageUrl>
<cpe>cpe:/a:redhat:wildfly</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #6482
]]></notes>
<packageUrl regex="true">^pkg:npm/bare-os@.*$</packageUrl>
<cpe>cpe:/a:bareos:bareos</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #6463
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.ktor/ktor-server-metrics-micrometer-jvm@.*$</packageUrl>
<cpe>cpe:/a:csm_server_project:csm_server</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #6538
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.camel\.quarkus/camel-quarkus-core@.*$</packageUrl>
<cpe>cpe:/a:apache:camel</cpe>
</suppress>
<!-- end of genereated suppressions that will be included in 9.1.1 -->
</suppressions>
