endency-check-core.5.0.0-M2.source-code.dependencycheck-base-suppression.xml Maven / Gradle / Ivy
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
<suppress base="true">
<notes><![CDATA[
This suppresses false positives for Microsoft.VisualStudio.QualityTools.UnitTestFramework.dll.
]]></notes>
<filePath regex="true">.*Microsoft\.VisualStudio\.QualityTools\.UnitTestFramework*\.dll</filePath>
<cve>CVE-2014-3802</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
This suppresses false positives for EntityFramework.SqlServer.dll.
]]></notes>
<filePath regex="true">.*EntityFramework\.SqlServer*\.dll</filePath>
<cpe>cpe:/a:microsoft:server:6.0.0.0</cpe>
<cpe>cpe:/a:microsoft:sql_server:6.0</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
This suppresses false positives identified on spring security.
]]></notes>
<gav regex="true">org\.springframework\.security:spring.*</gav>
<cpe>cpe:/a:mod_security:mod_security</cpe>
<cpe>cpe:/a:springsource:spring_framework</cpe>
<cpe>cpe:/a:vmware:springsource_spring_framework</cpe>
<cpe>cpe:/a:pivotal:spring_framework</cpe>
<cpe>cpe:/a:pivotal_software:spring_framework</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
This suppresses false positives identified on spring security.
]]></notes>
<filePath regex="true">.*spring-security-[^\\/]*\.jar$</filePath>
<cpe>cpe:/a:mod_security:mod_security</cpe>
<cpe>cpe:/a:springsource:spring_framework</cpe>
<cpe>cpe:/a:vmware:springsource_spring_framework</cpe>
<cpe>cpe:/a:pivotal:spring_framework</cpe>
<cpe>cpe:/a:pivotal_software:spring_framework</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Don't flag specific CVEs for spring framework related components (i.e. org.springframework.data).
]]></notes>
<gav regex="true">^org\.springframework\..*$</gav>
<cve>CVE-2016-9878</cve>
<cve>CVE-2018-1270</cve>
<cve>CVE-2018-1271</cve>
<cve>CVE-2018-1272</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per #1513. Spring-boot-starter-data-rest is not data-rest (however, it does
depend on spring-data-rest so the actual library will get flagged instead of the "boot" version
being flagged as spring-data-rest with the wrong version number)
]]></notes>
<gav regex="true">^org\.springframework\.boot:spring-boot-starter-data-rest:.*$</gav>
<cpe>cpe:/a:pivotal_software:spring_data_rest</cpe>
<cpe>cpe:/a:pivotal_software:spring_boot</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
This suppreses additional false positives for the xstream library that occur because spring has a copy of this library.
com.springsource.com.thoughtworks.xstream-1.3.1.jar
]]></notes>
<gav regex="true">com\.thoughtworks\.xstream:xstream:.*</gav>
<cpe>cpe:/a:springsource:spring_framework</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives on velocity tools.
]]></notes>
<gav regex="true">org\.apache\.velocity:velocity-tools:.*</gav>
<cpe>cpe:/a:apache:struts</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
1. Sandbox is a php blog platform and should not be flagged as a CPE for java or .net dependencies.
2. Open media is php and won't be in a jar, dll, etc. See issue #814.
3. file and file_project are not assembiles or java libraries
4. Shim is *nix and is not an assembly or java lib.
5. date_project is a drupal library
6. net dns is a php module
7. Even if a node.js package exists - we aren't flagging the entire node.js
8. Context project is drupal plugin
9. mail_project is ruby library
10. ldap_project is part of type3 written in php
11. user import project is used in drupal (i.e. php)
12. root is a c++ project https://github.com/root-project/root/
13. xml_sec is a C library for XML security
14. rest easy project is ruby library
15. hub_project is a ruby library (#1130)
16. views_project is a drupal plugin (#1077)
17. restful_web_services_project:restful_web_services is a drupal plugin (#1077)
18. font_project is a php library (#1166)
19. amazon_aws_project is a drupal utility (#1290)
20. google android should not be flagged for the base library
21. ws_project is a node websocket client (#1535)
22. first_project first is an Ethereum smart contract (#1588)
23. interact is a php project (#1609)
24. finder is drupal plugin (#1626)
25. archiver project is a golang module (#1627)
26. r_project is the r programming language
27. r_project is the r programming language
28. cpe:/a:jwt_project:jwt is a php library (#1697)
29. remove FP on git
30. remove FP on git
31. remove FP on git
32. Suppresses false positives on .NET mono
33. Suppresses false positives on .NET mono
34. Suppresses false positives on .NET mono
]]></notes>
<filePath regex="true">.*(\.(dll|jar|ear|war|pom|nupkg|nuspec|aar)|pom\.xml|package.json|packages.config)$</filePath>
<cpe>cpe:/a:sandbox:sandbox</cpe>
<cpe>cpe:/a:openmedia:openmedia</cpe>
<cpe>cpe:/a:file_project:file</cpe>
<cpe>cpe:/a:file:file</cpe>
<cpe>cpe:/a:shim:shim</cpe>
<cpe>cpe:/a:shim_project:shim</cpe>
<cpe>cpe:/a:date_project:date</cpe>
<cpe>cpe:/a:net_dns:net_dns</cpe>
<cpe>cpe:/a:nodejs:node.js</cpe>
<cpe>cpe:/a:nodejs:nodejs</cpe>
<cpe>cpe:/a:context_project:context</cpe>
<cpe>cpe:/a:mail_project:mail</cpe>
<cpe>cpe:/a:ldap_project:ldap</cpe>
<cpe>cpe:/a:user_import_project:user_import</cpe>
<cpe>cpe:/a:root:root</cpe>
<cpe>cpe:/a:xmlsec_project:xmlsec</cpe>
<cpe>cpe:/a:rest-client_project:rest-client</cpe>
<cpe>cpe:/a:hub_project:hub</cpe>
<cpe>cpe:/a:views_project:views</cpe>
<cpe>cpe:/a:restful_web_services_project:restful_web_services</cpe>
<cpe>cpe:/a:php:php</cpe>
<cpe>cpe:/a:font_project:font</cpe>
<cpe>cpe:/a:amazon_aws_project:amazon_aws</cpe>
<cpe>cpe:/a:google:android</cpe>
<cpe>cpe:/a:ws_project:ws</cpe>
<cpe>cpe:/a:first_project:first</cpe>
<cpe>cpe:/a:interact:interact</cpe>
<cpe>cpe:/a:finder_project:finder</cpe>
<cpe>cpe:/a:archiver_project:archiver</cpe>
<cpe>cpe:/a:r_project:r</cpe>
<cpe>cpe:/a:jwt_project:jwt</cpe>
<cpe>cpe:/a:git_project:git</cpe>
<cpe>cpe:/a:git:git</cpe>
<cpe>cpe:/a:git_for_windows_project:git_for_windows</cpe>
<cpe>cpe:/a:mono-project:mono</cpe>
<cpe>cpe:/a:mono:mono</cpe>
<cpe>cpe:/a:mono_project:mono</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppress false positives by technology:
1. dash
2. node.js modules (#1095)
3. active directorty (#1091)
4. active directorty (#1091)
5. active directorty (#1091)
5. snmp (#1248)
5. snmp (#1248)
6. python (#1055)
7. python (#1055)
8. CVE-2017-16046 is for the node.js npm mariadb client (#1364)
9. sqlserver_project is a node js module (#1388)
]]></notes>
<filePath regex="true">.*(\.(jar|ear|war|pom)|pom\.xml)$</filePath>
<cpe>cpe:/a:dash:dash</cpe>
<cpe>cpe:/a:mustache.js_project:mustache.js</cpe>
<cpe>cpe:/a:microsoft:active_directory</cpe>
<cpe>cpe:/a:microsoft:active_directory_federation_services</cpe>
<cpe>cpe:/a:microsoft:active_directory_services</cpe>
<cpe>cpe:/a:snmp:snmp</cpe>
<cpe>cpe:/a:net-snmp:net-snmp</cpe>
<cpe>cpe:/a:python:python</cpe>
<cpe>cpe:/a:python_software_foundation:python</cpe>
<cve>CVE-2017-16046</cve>
<cpe>cpe:/a:sqlserver_project:sqlserver</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives on Jersey core client.
]]></notes>
<gav regex="true">(com\.sun\.jersey|org\.glassfish\.jersey\.core):jersey-(client|common):.*</gav>
<cpe>cpe:/a:oracle:glassfish</cpe>
<cpe>cpe:/a:oracle:oracle_client</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per issue #1614.
]]></notes>
<gav regex="true">^eu\.bitwalker:UserAgentUtils:.*$</gav>
<cpe>cpe:/a:useragent_project:useragent</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per issue #1599
]]></notes>
<gav regex="true">^com\.atlassian\.http:atlassian-http:.*$</gav>
<cpe>cpe:/a:atlassian:bitbucket</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per issue #1595
]]></notes>
<gav regex="true">^org\.springframework\.security:spring-security-jwt:.*$</gav>
<cpe>cpe:/a:pivotal:spring_security_oauth</cpe>
<cpe>cpe:/a:pivotal_software:spring_security_oauth</cpe>
<cpe>cpe:/a:jwt_project:jwt</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per issue #1594
]]></notes>
<gav regex="true">^org\.jfrog\.artifactory\.client:artifactory-java-client-api:.*$</gav>
<cve>CVE-2016-6501</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per issue #1590
]]></notes>
<gav regex="true">^com\.cybersource:flex-server-sdk:.*$</gav>
<cpe>cpe:/a:flex_project:flex</cpe>
<cpe>cpe:/a:id:id-software</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per issue #1587
]]></notes>
<gav regex="true">^org\.apache\.felix:org\.apache\.felix\.configadmin:.*$</gav>
<cpe>cpe:/a:cm_project:cm</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per issue #1587
]]></notes>
<gav regex="true">^com\.liferay:org\.apache\.felix\.configadmin:.*$</gav>
<cpe>cpe:/a:cm_project:cm</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per issue #1585
]]></notes>
<gav regex="true">^org\.apache\.geronimo\.javamail:geronimo-javamail_1\.4_mail:.*$</gav>
<cpe>cpe:/a:apache:geronimo</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per issue #1585
]]></notes>
<gav regex="true">^geronimo-spec:geronimo-spec-javamail:.*$</gav>
<cpe>cpe:/a:apache:geronimo</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per issue #1585
]]></notes>
<gav regex="true">^org\.apache\.geronimo\.javamail:geronimo-javamail_1\.4_provider:.*$</gav>
<cpe>cpe:/a:apache:geronimo</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per issue #1566
]]></notes>
<gav regex="true">^org\.springframework\.security\.oauth\.boot:spring-security-oauth2-autoconfigure:.*$</gav>
<cpe>cpe:/a:pivotal_software:spring_security_oauth</cpe>
<cpe>cpe:/a:pivotal:spring_security_oauth</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives per issue 1581
]]></notes>
<gav regex="true">^org\.apache\.activemq:artemis.*$</gav>
<cpe>cpe:/a:apache:apache_http_server</cpe>
<cpe>cpe:/a:apache:http_server</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Supresses false positives on jersey-apache-client4
]]></notes>
<gav regex="true">com\.sun\.jersey\.contribs:jersey-apache-client.*</gav>
<cpe>cpe:/a:apache:httpclient</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives on glassfish and grizzly. Updated per issue #672.
]]></notes>
<gav regex="true">org\.glassfish(\.(web|grizzly)):.*(json|faces|jstl|grizzly).*</gav>
<cpe>cpe:/a:oracle:glassfish</cpe>
<cpe>cpe:/a:oracle:glassfish_server</cpe>
</suppress>
<!--suppress base="true">
<notes><![CDATA[
This was added to a broader suppression ruleg
Suppresses false positives on ldap_project (issue #165).
]]></notes>
<gav regex="true">org\.forgerock\.opendj:opendj-ldap-sdk:.*</gav>
<cpe>cpe:/a:ldap_project:ldap</cpe>
</suppress-->
<suppress base="true">
<notes><![CDATA[
FP per #1485
]]></notes>
<gav regex="true">^org\.sonatype\.plexus:plexus-sec-dispatcher:.*$</gav>
<cpe>cpe:/a:sec_project:sec</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1479
]]></notes>
<gav regex="true">^com.amazonaws:aws-java-sdk-simpleworkflow:.*$</gav>
<cpe>cpe:/a:flow_project:flow</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1479
]]></notes>
<gav regex="true">^com.amazonaws:aws-java-sdk-swf-libraries:.*$</gav>
<cpe>cpe:/a:flow_project:flow</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1229
]]></notes>
<gav regex="true">^org\.slf4j:((?!slf4j-ext).)*:.*$</gav>
<cve>CVE-2018-8088</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1027
]]></notes>
<gav regex="true">^com\.github\.danielwegener:logback-kafka-appender:.*$</gav>
<cpe>cpe:/a:logback:logback</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
httpmime is not the same as th actual http client; suppressing this match.
]]></notes>
<gav regex="true">^org\.apache\.httpcomponents:httpmime:.*$</gav>
<cpe>cpe:/a:apache:httpclient</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1515
]]></notes>
<gav regex="true">^org\.eclipse\.jetty\.alpn:alpn-api:.*$</gav>
<cpe>cpe:/a:eclipse:jetty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Resolve FP that caused ant task IT to fail.
]]></notes>
<gav regex="true">^jetty:org\.mortbay\.jetty:.*$</gav>
<cpe>cpe:/a:apache:http_server</cpe>
<cpe>cpe:/a:apache:apache_http_server</cpe>
<cpe>cpe:/a:free_java_web_server:free_java_web_server</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP on jetty-proxy
]]></notes>
<gav regex="true">^org\.eclipse\.jetty:jetty-proxy:.*$</gav>
<cpe>cpe:/a:eclipse:jetty</cpe>
<cpe>cpe:/a:jetty:jetty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positives found while investigating https://github.com/jeremylong/dependency-check-gradle/issues/103
]]></notes>
<gav regex="true">^com\.facebook\.android:facebook-android-sdk:.*$</gav>
<cpe>cpe:/a:facebook:facebook</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positives found while investigating https://github.com/jeremylong/dependency-check-gradle/issues/103
]]></notes>
<gav regex="true">^com\.amazonaws:aws-android-sdk-cognitoidentityprovider-asf:.*$</gav>
<cpe>cpe:/a:android:android_sdk</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positives found while investigating https://github.com/jeremylong/dependency-check-gradle/issues/103
]]></notes>
<gav regex="true">^org\.jetbrains:annotations:.*$</gav>
<cpe>cpe:/a:jetbrains:intellij_idea</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1027
]]></notes>
<gav regex="true">^org\.springframework\.kafka:spring-kafka.*$</gav>
<cpe>cpe:/a:pivotal:spring_framework</cpe>
<cpe>cpe:/a:pivotal_software:spring_framework</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1328
]]></notes>
<gav regex="true">^org\.springframework\.batch:spring-batch.*$</gav>
<cpe>cpe:/a:pivotal:spring_framework</cpe>
<cpe>cpe:/a:pivotal_software:spring_framework</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives on the org.opensaml:xmltooling
FP per issue #945
]]></notes>
<gav regex="true">org\.opensaml:xmltooling:.*</gav>
<cpe>cpe:/a:shibboleth:opensaml</cpe>
<cpe>cpe:/a:internet2:opensaml</cpe>
<cve>CVE-2015-0851</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP found when researching #1091
]]></notes>
<gav regex="true">^com\.nimbusds:nimbus-jose-jwt:.*$</gav>
<cpe>cpe:/a:jwt_project:jwt</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives on the org.opensaml:openws
]]></notes>
<gav regex="true">org\.opensaml:openws:.*</gav>
<cpe>cpe:/a:internet2:opensaml</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives for python:python.
]]></notes>
<filePath regex="true">.*(\.(whl|egg)|\b(site|dist)-packages\b.*)</filePath>
<cpe>cpe:/a:python:python</cpe>
<cpe>cpe:/a:python_software_foundation:python</cpe>
<cpe>cpe:/a:class:class</cpe>
<cpe>cpe:/a:file:file</cpe>
<cpe>cpe:/a:gnupg:gnupg</cpe>
<cpe>cpe:/a:mongodb:mongodb</cpe>
<cpe>cpe:/a:mozilla:mozilla</cpe>
<cpe>cpe:/a:openssl:openssl</cpe>
<cpe>cpe:/a:sendfile:sendfile</cpe>
<cpe>cpe:/a:sendmail:sendmail</cpe>
<cpe>cpe:/a:yacc:yacc</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives for com.google:.*
]]></notes>
<gav regex="true">com\.google(\.[a-zA-Z0-9_-]+)?:.*:.*</gav>
<cpe>cpe:/a:google:desktop</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives for non-android JARs from google.
]]></notes>
<gav regex="true">com\.google\.((?!android).)*:.*</gav>
<cpe>cpe:/a:google:android</cpe>
<cpe>cpe:/a:google:android_api</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives for android JARs in g:com.google.android
]]></notes>
<gav regex="true">com\.google\.android\..*:.*</gav>
<cpe>cpe:/a:google:android</cpe>
<cpe>cpe:/a:google:android_api</cpe>
<cpe>cpe:/a:google:google</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses incorrect identification for bing ads.
]]></notes>
<gav regex="true">com.microsoft.bingads:microsoft.bingads:.*</gav>
<cpe>cpe:/a:microsoft:bing</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Oracle Jersey is flagged as glassfish.
]]></notes>
<gav regex="true">.*jersey.*</gav>
<cpe>cpe:/a:oracle:glassfish_server</cpe>
<cpe>cpe:/a:oracle:glassfish</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Oracle HK2 is flagged as glassfish.
]]></notes>
<gav regex="true">.*\bhk2\b.*</gav>
<cpe>cpe:/a:oracle:glassfish</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
HK2-utils is flagged as glassfish.
]]></notes>
<filePath regex="true">.*\bhk2-utils.*\.jar</filePath>
<cpe>cpe:/a:oracle:glassfish</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: petals-se-camel-1.0.0.jar - false positive for apache camel.
]]></notes>
<gav regex="true">org.ow2.petals:petals-se-camel:.*</gav>
<cpe>cpe:/a:apache:camel</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Mina gets flagged as apache-ssl
]]></notes>
<gav regex="true">org.apache.mina:mina.*</gav>
<cpe>cpe:/a:apache-ssl:apache-ssl</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Woden gets flagged as apache-ssl
]]></notes>
<gav regex="true">org.apache.woden:woden.*</gav>
<cpe>cpe:/a:apache-ssl:apache-ssl</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
spec gets flagged as the implementation.
]]></notes>
<gav regex="true">org.apache.geronimo.specs:.*</gav>
<cpe>cpe:/a:apache:geronimo</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
This suppresses false positives identified on tomcat-embed-el.
]]></notes>
<gav regex="true">org\.apache\.tomcat\.embed:tomcat-embed-el:.*</gav>
<cpe>cpe:/a:apache:tomcat</cpe>
<cpe>cpe:/a:apache_tomcat:apache_tomcat</cpe>
<cpe>cpe:/a:apache_software_foundation:tomcat</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
This suppresses false positives identified on tomcat-el-api and servlet api.
See #1437.
]]></notes>
<gav regex="true">^org\.apache\.tomcat:tomcat-(servlet|el)-api:.*$</gav>
<cpe>cpe:/a:apache:tomcat</cpe>
<cpe>cpe:/a:apache_tomcat:apache_tomcat</cpe>
<cpe>cpe:/a:apache_software_foundation:tomcat</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
This suppresses false positives identified on tomcat-jdbc.
]]></notes>
<gav regex="true">org\.apache\.tomcat:tomcat-jdbc:.*</gav>
<cpe>cpe:/a:apache:tomcat</cpe>
<cpe>cpe:/a:apache_tomcat:apache_tomcat</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
This suppresses false positives identified on tomcat-juli.
]]></notes>
<gav regex="true">org\.apache\.tomcat:tomcat-juli:.*</gav>
<cpe>cpe:/a:apache:tomcat</cpe>
<cpe>cpe:/a:apache_tomcat:apache_tomcat</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
suppress false positive per issue #433
]]></notes>
<gav regex="true">com\.google\.javascript:closure-compiler:.*</gav>
<cpe>cpe:/a:google:google_apps:-</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
suppress false positives per issue #437
]]></notes>
<gav regex="true">.*mongodb.*:.*:.*</gav>
<cpe>cpe:/a:mongodb:mongodb</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
suppress false positives per issue #1620
]]></notes>
<gav regex="true">^javax\.jmdns:jmdns:.*$</gav>
<cpe>cpe:/a:apple:</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
suppress false positives per issue #1621
]]></notes>
<gav regex="true">^org\.apache\.xbean:xbean.*$</gav>
<cpe>cpe:/a:apache:geronimo</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
suppress false positives per issue #1622
]]></notes>
<gav regex="true">^org\.openjdk\.jmh:jmh-core:.*$</gav>
<cpe>cpe:/a:sun:openjdk</cpe>
<cpe>cpe:/a:oracle:openjdk</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
suppress false positives per issue #1621
]]></notes>
<gav regex="true">^org\.apache\.geronimo\.components:geronimo-transaction:.*$</gav>
<cpe>cpe:/a:apache:geronimo</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
suppress false positives per issue #438
Note, there will be more false positives for Netty. Trying to figure out a better suppression.
]]></notes>
<gav regex="true">com.typesafe.netty:netty-http-pipelining:.*</gav>
<cpe>cpe:/a:netty_project:netty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
JVM instrumentation to Ganglia
]]></notes>
<gav regex="true">info\.ganglia\.gmetric4j:gmetric4j:.*</gav>
<cpe>cpe:/a:ganglia:ganglia</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
A reporter for Metrics which announces measurements to a Ganglia cluster
]]></notes>
<gav regex="true">io\.dropwizard\.metrics:metrics-ganglia:.*</gav>
<cpe>cpe:/a:ganglia:ganglia</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
drop wizard false positives
]]></notes>
<gav regex="true">io\.dropwizard:dropwizard-jetty:.*</gav>
<cpe>cpe:/a:jetty:jetty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
drop wizard false positives
]]></notes>
<gav regex="true">io\.dropwizard\.metrics:metrics-jetty:.*</gav>
<cpe>cpe:/a:jetty:jetty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
drop wizard false positives. Updated per issue #796.
]]></notes>
<gav regex="true">org\.eclipse\.jetty\.toolchain\.setuid:jetty-setuid-java:.*</gav>
<cpe>cpe:/a:jetty:jetty</cpe>
<cpe>cpe:/a:eclipse:jetty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positive per issue #796
]]></notes>
<gav regex="true">^org\.eclipse\.jetty:jetty-io:.*$</gav>
<cpe>cpe:/a:jetty:jetty</cpe>
<cpe>cpe:/a:eclipse:jetty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
drop wizard false positives
]]></notes>
<gav regex="true">org\.eclipse\.jetty:jetty-io:.*</gav>
<cpe>cpe:/a:jetty:jetty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
drop wizard false positives
]]></notes>
<gav regex="true">org\.eclipse\.jetty\.http2:http2-hpack:.*</gav>
<cpe>cpe:/a:jetty:jetty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
drop wizard false positives
]]></notes>
<gav regex="true">io\.dropwizard\.metrics:metrics-httpclient:.*</gav>
<cpe>cpe:/a:apache:httpclient</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue https://github.com/jeremylong/dependency-check-gradle/issues/61
]]></notes>
<gav regex="true">^org\.eclipse\.jetty\.toolchain:jetty-schemas:.*$</gav>
<cpe>cpe:/a:mortbay_jetty:jetty</cpe>
<cpe>cpe:/a:mortbay:jetty</cpe>
<cpe>cpe:/a:jetty:jetty</cpe>
<cpe>cpe:/a:eclipse:jetty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
javax.transaction and javax.annotation (#1629) false positives
]]></notes>
<gav regex="true">javax\.(annotation|transaction):javax\.(annotation|transaction)-api:.*</gav>
<cpe>cpe:/a:oracle:glassfish</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positives per #1630
]]></notes>
<gav regex="true">^org\.apache\.directory\.api:api-ldap.*$</gav>
<cpe>cpe:/a:apache:apache_http_server</cpe>
<cpe>cpe:/a:apache:directory_studio</cpe>
<cpe>cpe:/a:apache:ldap_studio</cpe>
<cpe>cpe:/a:net-ldap_project:net-ldap</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positives per #1631
]]></notes>
<gav regex="true">^org\.apache\.servicemix\.bundles:org\.apache\.servicemix\.bundles\.not-yet-commons-ssl:.*$</gav>
<cpe>cpe:/a:apache-ssl:apache-ssl</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positives per #1635
]]></notes>
<gav regex="true">^org\.apache\.cxf\.fediz:fediz-core:.*$</gav>
<cpe>cpe:/a:apache:cxf</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positive in drop wizard
]]></notes>
<filePath regex="true">.*(\.(jar|ear|war|pom)|pom\.xml)</filePath>
<cpe>cpe:/a:tiger:tiger</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
php cpe
]]></notes>
<filePath regex="true">.*(\.(dll|jar|ear|war|pom)|pom\.xml)</filePath>
<cpe>cpe:/a:class:class</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Linux ssh False Positives
]]></notes>
<filePath regex="true">.*(\.(jar|ear|war|pom)|pom\.xml)</filePath>
<cpe>cpe:/a:pam:pam</cpe>
<cpe>cpe:/a:pam_ssh:pam_ssh</cpe>
<cpe>cpe:/a:sun:linux</cpe>
<cpe>cpe:/a:sun:sunos</cpe>
<cpe>cpe:/a:oracle:linux</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
JRK False Positives
]]></notes>
<filePath regex="true">.*(\.(jar|ear|war|pom)|pom\.xml)</filePath>
<cpe>cpe:/a:sun:java</cpe>
<cpe>cpe:/a:sun:jdk</cpe>
<cpe>cpe:/a:sun:j2se</cpe>
<cpe>cpe:/a:sun:j_se</cpe>
<cpe>cpe:/a:sun:j_se</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
fontbox is a sub project of pdfbox. CPE vulns don't apply.
]]></notes>
<gav regex="true">^org\.apache\.pdfbox:fontbox:.*$</gav>
<cpe>cpe:/a:apache:pdfbox</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
https://tukaani.org/xz/java.html
]]></notes>
<gav regex="true">^org\.tukaani:xz:.*$</gav>
<cve>CVE-2015-4035</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
https://github.com/processing/processing is not javax
]]></notes>
<gav regex="true">^(javax\.json|org\.glassfish):javax\.json(-api)?:.*$</gav>
<cpe>cpe:/a:processing:processing</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
https://github.com/ojai/ojai is not mapr
]]></notes>
<gav regex="true">^org\.ojai:ojai:.*$</gav>
<cpe>cpe:/a:mapr:mapr</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
dependency-track is not track+
]]></notes>
<gav regex="true">^org\.jenkins-ci\.plugins:dependency-track:.*$</gav>
<cpe>cpe:/a:track%2b:track%2b</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Jenkins plugins are should not be flagged as Jenkins.
]]></notes>
<gav regex="true">^org\.jenkins-ci\.plugins:.*$</gav>
<cpe>cpe:/a:jenkins:jenkins</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Maven plugin for developing Jenkins plugins.
]]></notes>
<gav regex="true">^org\.jenkins-ci\.tools:maven-hpi-plugin:.*$</gav>
<cpe>cpe:/a:jenkins:jenkins</cpe>
<cpe>cpe:/a:jenkins:maven</cpe>
</suppress>
<suppress>
<notes><![CDATA[
FP on dependency-check-gradle
]]></notes>
<gav regex="true">^org\.owasp:dependency-check-gradle:.*$</gav>
<cpe>cpe:/a:gradle:gradle</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
remove FP on Jenkins.
]]></notes>
<gav regex="true">^(?!org\.jenkins-ci\.main:jenkins-war).*$</gav>
<cpe>cpe:/a:jenkins:jenkins</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
filter out non-glassfish core
]]></notes>
<gav regex="true">^(?!org\.glassfish\.main\.core:glassfish).*$</gav>
<cpe>cpe:/a:oracle:glassfish</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Grizzly is not Async Http Client
]]></notes>
<gav regex="true">^org\.glassfish\.grizzly:grizzly-http-client:.*$</gav>
<cpe>cpe:/a:async-http-client_project:async-http-client</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
don't flag scala modules as scala
]]></notes>
<gav regex="true">^org\.scala-lang\.modules:.*$</gav>
<cpe>cpe:/a:scala-lang:scala</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
don't flag maven plugin components as the jenkins maven plugin itself
]]></notes>
<gav regex="true">^(?!org\.jenkins-ci\.main:maven-plugin):.*$</gav>
<cpe>cpe:/a:jenkins:maven</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
don't flag jruby extensions as jruby
]]></notes>
<gav regex="true">^org\.jruby\.ext.*$</gav>
<cpe>cpe:/a:jruby:jruby</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
elastic search false postivies
]]></notes>
<gav regex="true">org\.elasticsearch:securesm:.*</gav>
<cpe>cpe:/a:elasticsearch:elasticsearch</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
wink-json false positive
]]></notes>
<gav regex="true">^org\.apache\.wink:wink-json4j:.*$</gav>
<cpe>cpe:/a:wink:wink</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Glassfish false positives. Added jws per #1640
]]></notes>
<gav regex="true">^javax\.(jws|servlet):javax\.(jws|servlet)-api:.*$</gav>
<cpe>cpe:/a:oracle:glassfish</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Glassfish false positives.
]]></notes>
<gav regex="true">org\.glassfish:javax.el:.*</gav>
<cpe>cpe:/a:oracle:glassfish</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per #1641
]]></notes>
<gav regex="true">^org\.pac4j:pac4j-oidc:.*$</gav>
<cpe>cpe:/a:openid:openid</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Struts false positives.
]]></notes>
<gav regex="true">sslext:sslext:.*</gav>
<cpe>cpe:/a:apache:struts</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
ACtiveMQ false positives.
]]></notes>
<gav regex="true">org\.apache\.activemq:activemq-pool.*</gav>
<cpe>cpe:/a:apache:activemq</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
ACtiveMQ false positives.
]]></notes>
<gav regex="true">org\.apache\.activemq:artemis.*</gav>
<cpe>cpe:/a:apache:activemq</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Spring data mongodb false positives.
]]></notes>
<gav regex="true">org\.springframework\.data:spring-data-mongodb.*</gav>
<cpe>cpe:/a:mongodb:mongodb</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Spring data neo4j false positives.
]]></notes>
<gav regex="true">org\.springframework\.data:spring-data-neo4j:.*</gav>
<cpe>cpe:/a:vmware:springsource_spring_framework</cpe>
<cpe>cpe:/a:pivotal:spring_framework</cpe>
<cpe>cpe:/a:neo4j:neo4j</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Spring data solr false positives.
]]></notes>
<gav regex="true">org\.springframework\.data:spring-data-solr:.*</gav>
<cpe>cpe:/a:apache:solr</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Spring social facebook false positive.
]]></notes>
<gav regex="true">org\.springframework\.social:spring-social-facebook:.*</gav>
<cpe>cpe:/a:facebook:facebook</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Spring Security JWT false positive.
]]></notes>
<gav regex="true">org\.springframework\.security:spring-security-jwt.*</gav>
<cpe>cpe:/a:vmware:springsource_spring_security</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Aether false positive.
]]></notes>
<gav regex="true">org\.eclipse\.aether:aether.*</gav>
<cpe>cpe:/a:eclipse:eclipse_ide</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1673
]]></notes>
<gav regex="true">^org\.glassfish\.jersey\.media:jersey-media-moxy:.*$</gav>
<cpe>cpe:/a:eclipse:eclipse_ide</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Drupal services false positive.
Pyro is a python project.
]]></notes>
<filePath regex="true">.*(\.(jar|ear|war|pom)|pom\.xml)</filePath>
<cpe>cpe:/a:services_project:services</cpe>
<cpe>cpe:/a:pyro_project:pyro</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
jenkins-client false positives
]]></notes>
<gav regex="true">com\.offbytwo\.jenkins:jenkins-client:.*</gav>
<cpe>cpe:/a:jenkins:jenkins</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
xstream false positives
]]></notes>
<gav regex="true">^(?!com.thoughtworks).*xstream.*$</gav>
<cpe>cpe:/a:x-stream:xstream</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positive per issue #582
]]></notes>
<gav regex="true">^org\.glassfish\.jersey\.ext:jersey-proxy-client:.*$</gav>
<cpe>cpe:/a:oracle:oracle_client</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positive per issue #777
]]></notes>
<gav regex="true">^org\.glassfish\.jersey\.ext:jersey-metainf-services:.*$</gav>
<cpe>cpe:/a:services_project:services:</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: smiley-http-proxy-servlet-1.7.jar
]]></notes>
<gav regex="true">^org\.mitre\.dsmiley\.httpproxy:smiley-http-proxy-servlet:.*$</gav>
<cpe>cpe:/a:shttp:shttp</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
This CVE is disputed by the vendor and is not considered an issue.
]]></notes>
<filePath regex="true">.*</filePath>
<cve>CVE-2007-6059</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
These CVEs only affect jackson-dataformat-xml. See issue #517, #751, and #792.
]]></notes>
<gav regex="true">(org\.codehaus\.jackson|com\.fasterxml\.jackson\.(core|module|datatype|jaxrs)):jackson.*</gav>
<cve>CVE-2016-3720</cve>
<cve>CVE-2016-7051</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1344
]]></notes>
<gav regex="true">^com\.github\.docker-java:docker-java:.*$</gav>
<cve>CVE-2017-7297</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
These CVE only affects jackson-dataformat-xml. See issue #517.
]]></notes>
<gav regex="true">com\.fasterxml\.jackson\.dataformat:jackson(?!\-dataformat\-xml).*</gav>
<cve>CVE-2016-3720</cve>
<cve>CVE-2016-7051</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positives per issue #642
]]></notes>
<gav regex="true">^org\.springframework\.boot:spring-boot.*$</gav>
<cpe>cpe:/a:pivotal_software:spring_framework</cpe>
<cpe>cpe:/a:pivotal:spring_framework</cpe>
<cpe>cpe:/a:vmware:springsource_spring_framework</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positives per issue #642
]]></notes>
<gav regex="true">^org\.springframework:spring-context:.*$</gav>
<cpe>cpe:/a:context_project:context</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Node.js false positives per issues #512 and #510
]]></notes>
<filePath regex="true">.*package\.json$</filePath>
<cpe>cpe:/a:file_project:file</cpe>
<cpe>cpe:/a:file:file</cpe>
<cpe>cpe:/a:shim:shim</cpe>
<cpe>cpe:/a:shim_project:shim</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positives on python.
]]></notes>
<filePath regex="true">.*__init__\.py$</filePath>
<cpe>cpe:/a:shim:shim</cpe>
<cpe>cpe:/a:python:python</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positives per #1314.
]]></notes>
<filePath regex="true">.*PKG-INFO$</filePath>
<cpe>cpe:/a:nodejs:nodejs</cpe>
<cpe>cpe:/a:nodejs:node.js</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
checkpoint firewall is not at the application layer.
]]></notes>
<filePath regex="true">.*</filePath>
<cpe>cpe:/a:checkpoint:check_point</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Bouncy Castle Time Stamp Protocol is not related to openpgp.
]]></notes>
<gav regex="true">^org\.bouncycastle:bctsp.*$</gav>
<cpe>cpe:/a:openpgp:openpgp</cpe>
<cpe>cpe:/a:pgp:openpgp</cpe>
<cpe>cpe:/a:pgp:pgp</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Apache XML Graphics is used by Batik - but should not be identified as batik.
]]></notes>
<gav regex="true">^org\.apache\.xmlgraphics:xmlgraphics-commons:.*$</gav>
<cpe>cpe:/a:apache:batik</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive suppression per issue #664 for JJWT - A Java and Android JSON Web Token library
]]></notes>
<gav regex="true">^io\.jsonwebtoken:jjwt:.*$</gav>
<cpe>cpe:/a:sonatype:nexus</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive suppresion per issue #679 - jcore is a php wbe cms.
]]></notes>
<gav regex="true">^org\.apache\.james:apache-mime4j-core:.*$</gav>
<cpe>cpe:/a:jcore:jcore</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive
]]></notes>
<gav regex="true">^javax\.servlet:servlet-api:.*$</gav>
<cpe>cpe:/a:sun:one_application_server</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positives per issue #684.
]]></notes>
<gav regex="true">^org\.apache\.tomcat\.embed:tomcat-embed.*$</gav>
<cve>CVE-2017-6056</cve>
<cve>CVE-2016-6325</cve>
<cve>CVE-2016-5425</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per issue #691
]]></notes>
<gav regex="true">^org\.springframework\.boot:spring-boot-starter-data-jpa:.*$</gav>
<cve>CVE-2016-6652</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per issue #699
]]></notes>
<gav regex="true">^com\.splunk:splunk:.*$</gav>
<cpe>cpe:/a:splunk:splunk</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per issue #713
]]></notes>
<gav regex="true">^org\.openid4java:openid4java:.*$</gav>
<cpe>cpe:/a:openid:openid</cpe>
<cpe>cpe:/a:openid:openid4java</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per issue #700
]]></notes>
<gav regex="true">^org\.springframework\.cloud:spring-cloud-netflix-core:.*$</gav>
<cpe>cpe:/a:pivotal:spring_framework</cpe>
<cpe>cpe:/a:pivotal_software:spring_framework</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per issue #700
]]></notes>
<gav regex="true">^org\.springframework\.cloud:spring-cloud-.*$</gav>
<cpe>cpe:/a:pivotal:spring_framework</cpe>
<cpe>cpe:/a:pivotal_software:spring_framework</cpe>
<cpe>cpe:/a:context_project:context</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False Positive per issue #746
]]></notes>
<gav regex="true">^com\.artofsolving:jodconverter:.*$</gav>
<cpe>cpe:/a:openoffice:openoffice.org</cpe>
<cpe>cpe:/a:openoffice:openoffice</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False Positive per issue #743
]]></notes>
<gav regex="true">^org\.xerial:sqlite-jdbc:.*$</gav>
<cve>CVE-2015-3717</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
newrelic-agent false positives due to the instrumentation package (see issue #781)
]]></notes>
<filePath regex="true">.*newrelic-?agent.*\.jar[\\\/]instrumentation.*\.jar</filePath>
<cpe regex="true">.*</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False Positices per issue #823
]]></notes>
<gav regex="true">^io\.swagger:.*$</gav>
<cpe>cpe:/a:sonatype:nexus</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per issue #838
]]></notes>
<gav regex="true">^org\.springframework\.boot:.*$</gav>
<cpe>cpe:/a:pivotal_software:spring_data_jpa</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per issue #851 and #1073
]]></notes>
<gav regex="true">^com\.ibm\.icu:icu4j:.*$</gav>
<cpe regex="true">cpe:/a:icu[_-]project:international[_-]components[_-]for[_-]unicode:.*</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per issue #854
]]></notes>
<gav regex="true">^com\.vaadin\.external\.google:android-json:.*$</gav>
<cpe>cpe:/a:google:android</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
json library is not glassfish server.
]]></notes>
<gav regex="true">^org\.glassfish:javax\.json:.*$</gav>
<cpe>cpe:/a:oracle:glassfish</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: activerecord-oracle_enhanced-adapter-1.1.7.gemspec
]]></notes>
<filePath regex="true">.*activerecord.*oracle.*\.gemspec</filePath>
<cpe>cpe:/a:ruby-i18n:i18n</cpe>
<cpe>cpe:/a:mikel_lindsaar:mail</cpe>
<cpe>cpe:/a:rest-client_project:rest-client</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positives per issue #915
]]></notes>
<gav regex="true">^net\.thisptr:jackson-jq:.*$</gav>
<cpe>cpe:/a:jq_project:jq</cpe>
<cpe>cpe:/a:id:id-software</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positives per issue #915
]]></notes>
<gav regex="true">^org\.jruby\.jcodings:jcodings:.*$</gav>
<cpe>cpe:/a:jruby:jruby</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positives per issue #915
]]></notes>
<gav regex="true">^org\.jruby\.joni:joni:.*$</gav>
<cpe>cpe:/a:jruby:jruby</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positives per issue #915
]]></notes>
<gav regex="true">^org\.apache\.cxf\.xjc-utils:cxf-xjc-runtime:.*$</gav>
<cpe>cpe:/a:apache:cxf</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positives per issue #915
]]></notes>
<gav regex="true">^javax\.validation:validation-api:.*$</gav>
<cpe>cpe:/a:bean_project:bean</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positive per issue #914
]]></notes>
<gav regex="true">^org\.apache\.struts\.xwork:xwork-core:.*$</gav>
<cpe>cpe:/a:apache:struts</cpe>
</suppress>
<!--suppress base="true">
<notes><![CDATA[
This was added to a broader suppression.
false positive per issue #908
]]></notes>
<gav regex="true">^com\.unboundid:unboundid-ldapsdk:.*$</gav>
<cpe>cpe:/a:ldap_project:ldap</cpe>
</suppress-->
<suppress base="true">
<notes><![CDATA[
spring-session has a different version numbering than spring-core. See #1399
]]></notes>
<gav regex="true">^org\.springframework\.session:spring-session-(core|data-).*$</gav>
<cpe>cpe:/a:pivotal:spring_framework</cpe>
<cpe>cpe:/a:pivotal_software:spring_framework</cpe>
<cpe>cpe:/a:pivotal_software:spring_security</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1398
]]></notes>
<gav regex="true">^net\.lingala\.zip4j:zip4j:.*$</gav>
<cpe>cpe:/a:zip_project:zip</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1398
]]></notes>
<gav regex="true">^net\.java\.truevfs:truevfs-comp-zip:.*$</gav>
<cpe>cpe:/a:zip_project:zip</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1398
]]></notes>
<gav regex="true">^net\.java\.truevfs:truevfs-driver-zip:.*$</gav>
<cpe>cpe:/a:zip_project:zip</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1424
]]></notes>
<gav regex="true">^stax:stax-api:.*$</gav>
<cpe>cpe:/a:st_project:st</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positive per issue #894
]]></notes>
<gav regex="true">^org\.apache\.pdfbox:fontbox:.*$</gav>
<cpe>cpe:/a:font_project:font</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positive per issue #1093
]]></notes>
<gav regex="true">^com\.itextpdf:font-asian:.*$</gav>
<cpe>cpe:/a:font_project:font</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positive per issue #859
]]></notes>
<gav regex="true">^org\.kohsuke:github-api:.*$</gav>
<cpe>cpe:/a:hub_project:hub</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: hystrix-rx-netty-metrics-stream-1.5.12.jar
]]></notes>
<gav regex="true">^com\.netflix\.hystrix:hystrix-rx-netty-metrics-stream:.*$</gav>
<cpe>cpe:/a:netty_project:netty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per issue #1068
]]></notes>
<gav regex="true">^org\.asynchttpclient:netty-codec-dns:.*$</gav>
<cpe>cpe:/a:dns-sync_project:dns-sync</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per issue #1068
]]></notes>
<gav regex="true">^org\.asynchttpclient:async-http-client-netty-utils:.*$</gav>
<cpe>cpe:/a:async-http-client_project:async-http-client</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per issue #1068
]]></notes>
<gav regex="true">^org\.asynchttpclient:netty-resolver-dns:.*$</gav>
<cpe>cpe:/a:dns-sync_project:dns-sync</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per issue #1068
]]></notes>
<gav regex="true">^(?!(io\.netty|org\.jboss\.netty)).*:.*netty.*$</gav>
<cpe>cpe:/a:netty_project:netty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: cassandra-thrift-1.2.11.jar
]]></notes>
<gav regex="true">^org\.apache\.cassandra:cassandra-thrift:.*$</gav>
<cpe>cpe:/a:apache:thrift</cpe>
<cpe>cpe:/a:apache:cassandra</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: xbean-bundleutils-3.11.1.jar
]]></notes>
<gav regex="true">^org\.apache\.xbean:xbean-bundleutils:.*$</gav>
<cpe>cpe:/a:apache:geronimo</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: xbean-finder-3.11.1.jar
]]></notes>
<gav regex="true">^org\.apache\.xbean:xbean-finder:.*$</gav>
<cpe>cpe:/a:finder_project:finder</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: annotation-indexer-1.4.jar
]]></notes>
<gav regex="true">^org\.jenkins-ci:annotation-indexer:.*$</gav>
<cpe>cpe:/a:jenkins:jenkins</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positive per issue #871
]]></notes>
<gav regex="true">^org\.sonatype\..*$</gav>
<cpe>cpe:/a:spice_project:spice</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: avro-1.4.0-cassandra-1.jar
]]></notes>
<gav regex="true">^org\.apache\.cassandra\.deps:avro:.*$</gav>
<cpe>cpe:/a:apache:cassandra</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: hystrix-request-servlet-1.5.12.jar
]]></notes>
<gav regex="true">^com\.netflix\.hystrix:hystrix-request-servlet:.*$</gav>
<cpe>cpe:/a:request_it:request_it</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: jersey-core-1.11.jar
]]></notes>
<gav regex="true">^com\.sun\.jersey:jersey-core:.*$</gav>
<cpe>cpe:/a:restful_web_services_project:restful_web_services</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: unboundid-ldapsdk-2.3.8.jar
]]></notes>
<gav regex="true">^com\.unboundid:unboundid-ldapsdk:.*$</gav>
<cpe>cpe:/a:id:id-software</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
jaxb-xerces and jaxb-xerces2 are completely different dependencies.
]]></notes>
<gav regex="true">^activesoap:jaxb-xercesImpl:[01].*$</gav>
<cpe>cpe:/a:apache:xerces2_java</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
jaxb-xerces and jaxb-xerces2 are completely different dependencies - the sha1
is primarily for testing.
]]></notes>
<sha1>73a51faadb407dccdbd77234e0d5a0a648665692</sha1>
<cpe>cpe:/a:apache:xerces2_java</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per issue #965
]]></notes>
<gav regex="true">^com\.typesafe\.play:play-akka-http-server_2\.\d+:.*$</gav>
<cpe>cpe:/a:akka:akka</cpe>
<cpe>cpe:/a:akka:http_server</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per issue #1275
]]></notes>
<gav regex="true">^com\.typesafe\.akka:akka-stream-kafka_2\.12:.*$</gav>
<cpe>cpe:/a:akka:akka</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per issue #1275
]]></notes>
<gav regex="true">^com\.lightbend\.akka:akka-stream-alpakka-jms_2\.12:.*$</gav>
<cpe>cpe:/a:akka:akka</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per issue #1180
]]></notes>
<gav regex="true">^com\.typesafe\.akka:akka-persistence-cassandra:.*$</gav>
<cpe>cpe:/a:akka:akka</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per issue #1259
]]></notes>
<gav regex="true">^com\.google\.api\.grpc:proto-google-common-protos:.*$</gav>
<cpe>cpe:/a:grpc:grpc</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #942
]]></notes>
<gav regex="true">^org\.apache\.chemistry\.opencmis:chemistry-opencmis.*$</gav>
<cpe>cpe:/a:apache:apache_http_server</cpe>
<cpe>cpe:/a:apache:http_server</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #942
]]></notes>
<gav regex="true">^org\.alfresco\.cmis\.client:alfresco-opencmis-extension:.*$</gav>
<cpe>cpe:/a:alfresco:alfresco</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #944 - just suppressing the single CVE instead of the entire match
as a future CVE could be meaningful to this library.
]]></notes>
<gav regex="true">^com\.evernote:evernote-api:.*$</gav>
<cve>CVE-2016-4900</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #951
]]></notes>
<gav regex="true">^org\.apache\.portals\.pluto:pluto-portal-driver:.*$</gav>
<cpe>cpe:/a:in-portal:in-portal</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP on ldap studio
]]></notes>
<gav regex="true">^org\.apache\.directory\.api:api-ldap.*$</gav>
<cpe>cpe:/a:apache:apache_ldap_studio</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #1003
]]></notes>
<gav regex="true">^org\.mapstruct:mapstruct:.*$</gav>
<cpe>cpe:/a:bean_project:bean</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #1004 - ldap.java is not in the JAR.
]]></notes>
<gav regex="true">^org\.codehaus\.groovy:groovy:.*$</gav>
<cve>CVE-2016-6497</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #1010 - ldap.java is not in the JAR.
]]></notes>
<gav regex="true">^org\.codehaus\.groovy:groovy-all:.*$</gav>
<cve>CVE-2016-6497</cve>
</suppress>
<!--suppress base="true">
<notes><![CDATA[
FP per issue #997 - actual fix was in DependencyVersionUtils
]]></notes>
<gav regex="true">^com\.typesafe\.play:play-netty-utils:.*$</gav>
<cpe>cpe:/a:playframework:play_framework</cpe>
</suppress-->
<suppress base="true">
<notes><![CDATA[
FP per #987
]]></notes>
<gav regex="true">^org\.apache\.tomcat:tomcat-annotations-api:.*$</gav>
<cpe>cpe:/a:apache:tomcat</cpe>
<cpe>cpe:/a:apache_tomcat:apache_tomcat</cpe>
<cpe>cpe:/a:apache_software_foundation:tomcat</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
general FP cleanup
]]></notes>
<filePath regex="true">.*winstone-?(\d*\.?){0,3}\.jar</filePath>
<cpe>cpe:/a:jetty:jetty</cpe>
<cpe>cpe:/a:eclipse:jetty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
general FP cleanup
]]></notes>
<gav regex="true">^org\.apache\.maven\.wagon:wagon-webdav-jackrabbit:.*$</gav>
<cpe>cpe:/a:apache:jackrabbit</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
general FP cleanup
]]></notes>
<gav regex="true">^org\.apache\.xbean:xbean-reflect:.*$</gav>
<cpe>cpe:/a:apache:geronimo</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
general FP cleanup
]]></notes>
<gav regex="true">^org\.eclipse\.jetty\.orbit:javax\.annotation:.*$</gav>
<cpe>cpe:/a:eclipse:jetty</cpe>
<cpe>cpe:/a:jetty:jetty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
general FP cleanup
]]></notes>
<gav regex="true">^org\.eclipse\.jetty\.websocket:websocket-api:.*$</gav>
<cpe>cpe:/a:eclipse:jetty</cpe>
<cpe>cpe:/a:jetty:jetty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
general FP cleanup: com.amazonaws is a drupal project
]]></notes>
<gav regex="true">^com\.amazonaws:jmespath-java:.*$</gav>
<cpe>cpe:/a:amazon_aws_project:amazon_aws</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per #1642
]]></notes>
<gav regex="true">^org\.apache\.curator:curator-recipes:.*$</gav>
<cpe>cpe:/a:apache:zookeeper</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
general FP cleanup: apache_test CPE is referencing Perl code.
]]></notes>
<gav regex="true">^org\.apache\.ant:ant-testutil:.*$</gav>
<cpe>cpe:/a:apache:apache_test</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
general FP cleanup: CPE is for git, not the git provider
]]></notes>
<gav regex="true">^org\.apache\.maven\.scm:maven-scm-provider-git-commons:.*$</gav>
<cpe>cpe:/a:git-scm:git</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
general FP cleanup
]]></notes>
<gav regex="true">^org\.eclipse\.jetty\.orbit:org\.apache\.taglibs\.standard\.glassfish:.*$</gav>
<cpe>cpe:/a:jetty:jetty</cpe>
<cpe>cpe:/a:eclipse:jetty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
general FP cleanup
]]></notes>
<gav regex="true">^org\.eclipse\.jetty\.orbit:com\.sun\.el:.*$</gav>
<cpe>cpe:/a:jetty:jetty</cpe>
<cpe>cpe:/a:eclipse:jetty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
general FP cleanup: client vs. server mismatch
]]></notes>
<gav regex="true">^org\.samba\.jcifs:jcifs:.*$</gav>
<cpe>cpe:/a:samba:samba</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
general FP cleanup
]]></notes>
<gav regex="true">^org\.codehaus\.plexus:plexus-utils:.*$</gav>
<cpe>cpe:/a:spice_project:spice</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP #1064
]]></notes>
<gav regex="true">^org\.projectlombok:lombok:.*$</gav>
<cpe>cpe:/a:spice_project:spice</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
webjars are not npm, #1179
]]></notes>
<gav regex="true">^org\.webjars\.npm:.*$</gav>
<cpe>cpe:/a:npm:npm</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
spring boot mongo FP per issue #1067
]]></notes>
<gav regex="true">^org\.springframework\.boot:spring-boot-starter-data-mongodb:.*$</gav>
<cpe>cpe:/a:mongodb:mongodb</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
spring ldap cleanup per issue #1060
]]></notes>
<gav regex="true">^org\.springframework\.ldap:spring-ldap-core:.*$</gav>
<cpe>cpe:/a:net-ldap_project:net-ldap</cpe>
<cpe>cpe:/a:pivotal_software:spring_framework</cpe>
<cpe>cpe:/a:pivotal:spring_framework</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
These affect core jackson-databind, not jackson-dataformat-xml. If a vulnerable
version of databind is brought in as a transitive dependency of dataformat it
will get flagged by itself. See issue #1150.
]]></notes>
<gav regex="true">^com\.fasterxml\.jackson\.dataformat:.*$</gav>
<cve>CVE-2018-7489</cve>
<cve>CVE-2018-5968</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #952 - instead of suppressing the whole thing, we will just
suppress specific CVE that are for the server
]]></notes>
<gav regex="true">^(mysql:mysql-connector-java|org\.drizzle\.jdbc:drizzle-jdbc):.*$</gav>
<cve>CVE-2018-3081</cve>
<cve>CVE-2018-3137</cve>
<cve>CVE-2018-3145</cve>
<cve>CVE-2018-3170</cve>
<cve>CVE-2018-3182</cve>
<cve>CVE-2018-3186</cve>
<cve>CVE-2018-3195</cve>
<cve>CVE-2018-3203</cve>
<cve>CVE-2018-3212</cve>
<cve>CVE-2018-3279</cve>
<cve>CVE-2018-3286</cve>
<cve>CVE-2018-3071</cve>
<cve>CVE-2018-2759</cve>
<cve>CVE-2017-3331</cve>
<cve>CVE-2017-3452</cve>
<cve>CVE-2007-6304</cve>
<cve>CVE-2016-5442</cve>
<cve>CVE-2014-6555</cve>
<cve>CVE-2015-4861</cve>
<cve>CVE-2013-3796</cve>
<cve>CVE-2012-0553</cve>
<cve>CVE-2016-0659</cve>
<cve>CVE-2002-1923</cve>
<cve>CVE-2012-0119</cve>
<cve>CVE-2015-0508</cve>
<cve>CVE-2016-8283</cve>
<cve>CVE-2017-3463</cve>
<cve>CVE-2016-6663</cve>
<cve>CVE-2013-5881</cve>
<cve>CVE-2015-2573</cve>
<cve>CVE-2016-5436</cve>
<cve>CVE-2002-1376</cve>
<cve>CVE-2015-0432</cve>
<cve>CVE-2005-2558</cve>
<cve>CVE-2017-3308</cve>
<cve>CVE-2014-0402</cve>
<cve>CVE-2015-0499</cve>
<cve>CVE-2009-0819</cve>
<cve>CVE-2012-1757</cve>
<cve>CVE-2010-3838</cve>
<cve>CVE-2006-4031</cve>
<cve>CVE-2012-3180</cve>
<cve>CVE-2015-3152</cve>
<cve>CVE-2014-0393</cve>
<cve>CVE-2012-3163</cve>
<cve>CVE-2016-0594</cve>
<cve>CVE-2014-2450</cve>
<cve>CVE-2014-0430</cve>
<cve>CVE-2017-3457</cve>
<cve>CVE-2015-2567</cve>
<cve>CVE-2017-3319</cve>
<cve>CVE-2015-4866</cve>
<cve>CVE-2010-1621</cve>
<cve>CVE-2015-0409</cve>
<cve>CVE-2016-8288</cve>
<cve>CVE-2014-6484</cve>
<cve>CVE-2017-3243</cve>
<cve>CVE-2016-5633</cve>
<cve>CVE-2017-3468</cve>
<cve>CVE-2012-2122</cve>
<cve>CVE-2014-2444</cve>
<cve>CVE-2016-0642</cve>
<cve>CVE-2012-0882</cve>
<cve>CVE-2012-0102</cve>
<cve>CVE-2012-5614</cve>
<cve>CVE-2013-1567</cve>
<cve>CVE-2016-0504</cve>
<cve>CVE-2017-3643</cve>
<cve>CVE-2010-2008</cve>
<cve>CVE-2016-0608</cve>
<cve>CVE-2015-4756</cve>
<cve>CVE-2017-10284</cve>
<cve>CVE-2014-6495</cve>
<cve>CVE-2013-5793</cve>
<cve>CVE-2014-4233</cve>
<cve>CVE-2010-3680</cve>
<cve>CVE-2012-0493</cve>
<cve>CVE-2001-1275</cve>
<cve>CVE-2013-0385</cve>
<cve>CVE-2016-0599</cve>
<cve>CVE-2016-5627</cve>
<cve>CVE-2012-0113</cve>
<cve>CVE-2013-0368</cve>
<cve>CVE-2014-2438</cve>
<cve>CVE-2013-1511</cve>
<cve>CVE-2014-6478</cve>
<cve>CVE-2017-3637</cve>
<cve>CVE-2004-0837</cve>
<cve>CVE-2016-0653</cve>
<cve>CVE-2010-1626</cve>
<cve>CVE-2013-3810</cve>
<cve>CVE-2015-2643</cve>
<cve>CVE-2015-4767</cve>
<cve>CVE-2017-3265</cve>
<cve>CVE-2009-4019</cve>
<cve>CVE-2014-6489</cve>
<cve>CVE-2017-3302</cve>
<cve>CVE-2012-0087</cve>
<cve>CVE-2016-3477</cve>
<cve>CVE-2017-3648</cve>
<cve>CVE-2012-1697</cve>
<cve>CVE-2012-0487</cve>
<cve>CVE-2016-0647</cve>
<cve>CVE-2015-4815</cve>
<cve>CVE-2012-1734</cve>
<cve>CVE-2013-3804</cve>
<cve>CVE-2013-5807</cve>
<cve>CVE-2008-7247</cve>
<cve>CVE-2016-5441</cve>
<cve>CVE-2007-6303</cve>
<cve>CVE-2014-2494</cve>
<cve>CVE-2017-3313</cve>
<cve>CVE-2013-3795</cve>
<cve>CVE-2014-4238</cve>
<cve>CVE-2015-4826</cve>
<cve>CVE-2016-0658</cve>
<cve>CVE-2012-0118</cve>
<cve>CVE-2015-0507</cve>
<cve>CVE-2015-2648</cve>
<cve>CVE-2006-7232</cve>
<cve>CVE-2009-5026</cve>
<cve>CVE-2017-3462</cve>
<cve>CVE-2016-6662</cve>
<cve>CVE-2016-2047</cve>
<cve>CVE-2006-4227</cve>
<cve>CVE-2014-0001</cve>
<cve>CVE-2002-1375</cve>
<cve>CVE-2015-0498</cve>
<cve>CVE-2017-10365</cve>
<cve>CVE-2014-0401</cve>
<cve>CVE-2013-1544</cve>
<cve>CVE-2006-1518</cve>
<cve>CVE-2010-3679</cve>
<cve>CVE-2012-1756</cve>
<cve>CVE-2004-0628</cve>
<cve>CVE-2017-10227</cve>
<cve>CVE-2010-3837</cve>
<cve>CVE-2013-3809</cve>
<cve>CVE-2016-5584</cve>
<cve>CVE-2008-4456</cve>
<cve>CVE-2013-5891</cve>
<cve>CVE-2015-4761</cve>
<cve>CVE-2013-5770</cve>
<cve>CVE-2017-3456</cve>
<cve>CVE-2014-2432</cve>
<cve>CVE-2015-2566</cve>
<cve>CVE-2014-6559</cve>
<cve>CVE-2012-0574</cve>
<cve>CVE-2014-0412</cve>
<cve>CVE-2013-1555</cve>
<cve>CVE-2017-3318</cve>
<cve>CVE-2015-2620</cve>
<cve>CVE-2009-4030</cve>
<cve>CVE-2016-8287</cve>
<cve>CVE-2016-3471</cve>
<cve>CVE-2007-2693</cve>
<cve>CVE-2003-0150</cve>
<cve>CVE-2012-3173</cve>
<cve>CVE-2014-6520</cve>
<cve>CVE-2017-10283</cve>
<cve>CVE-2017-3467</cve>
<cve>CVE-2014-0386</cve>
<cve>CVE-2004-0388</cve>
<cve>CVE-2004-2149</cve>
<cve>CVE-2012-0101</cve>
<cve>CVE-2012-5613</cve>
<cve>CVE-2013-1566</cve>
<cve>CVE-2013-2376</cve>
<cve>CVE-2016-5632</cve>
<cve>CVE-2016-0503</cve>
<cve>CVE-2017-3329</cve>
<cve>CVE-2016-0607</cve>
<cve>CVE-2015-4913</cve>
<cve>CVE-2017-3642</cve>
<cve>CVE-2012-3156</cve>
<cve>CVE-2015-4772</cve>
<cve>CVE-2016-0641</cve>
<cve>CVE-2017-10320</cve>
<cve>CVE-2014-6494</cve>
<cve>CVE-2007-2583</cve>
<cve>CVE-2017-3653</cve>
<cve>CVE-2012-0492</cve>
<cve>CVE-2001-1274</cve>
<cve>CVE-2012-0075</cve>
<cve>CVE-2012-3167</cve>
<cve>CVE-2017-3636</cve>
<cve>CVE-2012-0112</cve>
<cve>CVE-2013-0367</cve>
<cve>CVE-2013-0384</cve>
<cve>CVE-2016-0652</cve>
<cve>CVE-2012-4414</cve>
<cve>CVE-2017-10294</cve>
<cve>CVE-2004-0957</cve>
<cve>CVE-2004-0836</cve>
<cve>CVE-2016-0598</cve>
<cve>CVE-2012-1705</cve>
<cve>CVE-2017-10314</cve>
<cve>CVE-2016-8318</cve>
<cve>CVE-2015-4766</cve>
<cve>CVE-2016-5626</cve>
<cve>CVE-2017-3599</cve>
<cve>CVE-2016-5609</cve>
<cve>CVE-2014-4260</cve>
<cve>CVE-2015-0501</cve>
<cve>CVE-2014-4243</cve>
<cve>CVE-2013-3783</cve>
<cve>CVE-2013-5786</cve>
<cve>CVE-2016-0663</cve>
<cve>CVE-2012-0540</cve>
<cve>CVE-2012-1696</cve>
<cve>CVE-2000-0045</cve>
<cve>CVE-2006-0369</cve>
<cve>CVE-2013-1521</cve>
<cve>CVE-2016-3459</cve>
<cve>CVE-2012-0486</cve>
<cve>CVE-2016-0646</cve>
<cve>CVE-2017-3647</cve>
<cve>CVE-2017-10167</cve>
<cve>CVE-2017-3450</cve>
<cve>CVE-2016-5440</cve>
<cve>CVE-2015-0382</cve>
<cve>CVE-2017-3312</cve>
<cve>CVE-2011-2262</cve>
<cve>CVE-2013-3794</cve>
<cve>CVE-2005-0004</cve>
<cve>CVE-2001-1454</cve>
<cve>CVE-2013-0389</cve>
<cve>CVE-2016-0657</cve>
<cve>CVE-2013-1532</cve>
<cve>CVE-2002-1921</cve>
<cve>CVE-2012-0117</cve>
<cve>CVE-2015-0506</cve>
<cve>CVE-2017-3258</cve>
<cve>CVE-2017-3461</cve>
<cve>CVE-2012-3150</cve>
<cve>CVE-2003-0073</cve>
<cve>CVE-2005-2573</cve>
<cve>CVE-2014-6564</cve>
<cve>CVE-2006-4226</cve>
<cve>CVE-2002-1374</cve>
<cve>CVE-2015-4870</cve>
<cve>CVE-2005-0711</cve>
<cve>CVE-2010-1850</cve>
<cve>CVE-2006-1517</cve>
<cve>CVE-2010-3678</cve>
<cve>CVE-2013-1526</cve>
<cve>CVE-2004-0627</cve>
<cve>CVE-2016-0705</cve>
<cve>CVE-2010-3836</cve>
<cve>CVE-2016-3518</cve>
<cve>CVE-2013-3808</cve>
<cve>CVE-2016-0601</cve>
<cve>CVE-2015-4836</cve>
<cve>CVE-2015-2571</cve>
<cve>CVE-2016-0668</cve>
<cve>CVE-2012-5060</cve>
<cve>CVE-2015-4819</cve>
<cve>CVE-2013-2381</cve>
<cve>CVE-2015-2582</cve>
<cve>CVE-2017-3455</cve>
<cve>CVE-2003-0780</cve>
<cve>CVE-2014-2431</cve>
<cve>CVE-2003-1331</cve>
<cve>CVE-2015-4864</cve>
<cve>CVE-2012-3144</cve>
<cve>CVE-2017-3317</cve>
<cve>CVE-2005-1636</cve>
<cve>CVE-2015-0441</cve>
<cve>CVE-2001-0407</cve>
<cve>CVE-2016-8286</cve>
<cve>CVE-2007-2692</cve>
<cve>CVE-2003-1480</cve>
<cve>CVE-2013-2392</cve>
<cve>CVE-2017-3641</cve>
<cve>CVE-2016-5631</cve>
<cve>CVE-2012-1690</cve>
<cve>CVE-2007-5646</cve>
<cve>CVE-2013-2375</cve>
<cve>CVE-2016-2105</cve>
<cve>CVE-2007-5925</cve>
<cve>CVE-2012-5612</cve>
<cve>CVE-2016-0502</cve>
<cve>CVE-2014-2442</cve>
<cve>CVE-2015-4858</cve>
<cve>CVE-2013-1548</cve>
<cve>CVE-2016-0606</cve>
<cve>CVE-2015-2576</cve>
<cve>CVE-2014-4287</cve>
<cve>CVE-2002-0969</cve>
<cve>CVE-2016-0640</cve>
<cve>CVE-2015-4737</cve>
<cve>CVE-2015-4771</cve>
<cve>CVE-2016-5439</cve>
<cve>CVE-1999-1188</cve>
<cve>CVE-2007-5970</cve>
<cve>CVE-2014-6530</cve>
<cve>CVE-2017-3652</cve>
<cve>CVE-2008-3963</cve>
<cve>CVE-2013-0383</cve>
<cve>CVE-2012-3166</cve>
<cve>CVE-2012-0491</cve>
<cve>CVE-2014-4214</cve>
<cve>CVE-2016-5625</cve>
<cve>CVE-2014-0433</cve>
<cve>CVE-2012-3149</cve>
<cve>CVE-2014-2436</cve>
<cve>CVE-2016-3501</cve>
<cve>CVE-2012-0578</cve>
<cve>CVE-2004-0956</cve>
<cve>CVE-2004-0835</cve>
<cve>CVE-2014-2419</cve>
<cve>CVE-2017-3635</cve>
<cve>CVE-2017-10155</cve>
<cve>CVE-2015-0500</cve>
<cve>CVE-2016-0651</cve>
<cve>CVE-2010-1849</cve>
<cve>CVE-2017-10313</cve>
<cve>CVE-2017-10276</cve>
<cve>CVE-2015-4802</cve>
<cve>CVE-2015-2641</cve>
<cve>CVE-2016-0597</cve>
<cve>CVE-2016-3492</cve>
<cve>CVE-2007-1420</cve>
<cve>CVE-2012-3177</cve>
<cve>CVE-2016-0662</cve>
<cve>CVE-2017-3646</cve>
<cve>CVE-2012-0485</cve>
<cve>CVE-2015-0511</cve>
<cve>CVE-2014-6507</cve>
<cve>CVE-2000-0148</cve>
<cve>CVE-2013-3802</cve>
<cve>CVE-2014-0427</cve>
<cve>CVE-2015-4830</cve>
<cve>CVE-2017-3291</cve>
<cve>CVE-2015-3194</cve>
<cve>CVE-2008-2079</cve>
<cve>CVE-2009-4028</cve>
<cve>CVE-2016-3486</cve>
<cve>CVE-2012-5383</cve>
<cve>CVE-2013-3793</cve>
<cve>CVE-2012-4452</cve>
<cve>CVE-2017-3257</cve>
<cve>CVE-2010-3683</cve>
<cve>CVE-2001-1453</cve>
<cve>CVE-2012-0496</cve>
<cve>CVE-2004-0457</cve>
<cve>CVE-2013-1531</cve>
<cve>CVE-2012-0116</cve>
<cve>CVE-2012-1689</cve>
<cve>CVE-2016-0639</cve>
<cve>CVE-2015-4807</cve>
<cve>CVE-2015-0505</cve>
<cve>CVE-2016-0656</cve>
<cve>CVE-2015-0381</cve>
<cve>CVE-2006-4380</cve>
<cve>CVE-2017-3460</cve>
<cve>CVE-2004-0381</cve>
<cve>CVE-2005-2572</cve>
<cve>CVE-2002-1373</cve>
<cve>CVE-2017-3305</cve>
<cve>CVE-2005-0710</cve>
<cve>CVE-2016-0667</cve>
<cve>CVE-2006-1516</cve>
<cve>CVE-2010-3677</cve>
<cve>CVE-2016-0546</cve>
<cve>CVE-2016-0600</cve>
<cve>CVE-2010-3835</cve>
<cve>CVE-2013-3807</cve>
<cve>CVE-2009-4484</cve>
<cve>CVE-2012-3160</cve>
<cve>CVE-2017-3454</cve>
<cve>CVE-2013-1570</cve>
<cve>CVE-2014-2430</cve>
<cve>CVE-2016-5444</cve>
<cve>CVE-2014-4258</cve>
<cve>CVE-2012-0572</cve>
<cve>CVE-2012-2750</cve>
<cve>CVE-2013-3798</cve>
<cve>CVE-2016-0611</cve>
<cve>CVE-2016-3424</cve>
<cve>CVE-2015-0423</cve>
<cve>CVE-2007-2691</cve>
<cve>CVE-2013-2391</cve>
<cve>CVE-2014-6464</cve>
<cve>CVE-2017-3465</cve>
<cve>CVE-2013-0371</cve>
<cve>CVE-2014-0384</cve>
<cve>CVE-2015-2575</cve>
<cve>CVE-2014-6568</cve>
<cve>CVE-2012-0583</cve>
<cve>CVE-2012-2102</cve>
<cve>CVE-2012-5611</cve>
<cve>CVE-2005-0799</cve>
<cve>CVE-2016-5630</cve>
<cve>CVE-2006-0903</cve>
<cve>CVE-2016-0605</cve>
<cve>CVE-2017-3640</cve>
<cve>CVE-2016-3452</cve>
<cve>CVE-2017-3251</cve>
<cve>CVE-2017-3651</cve>
<cve>CVE-2012-0490</cve>
<cve>CVE-2013-5894</cve>
<cve>CVE-2016-0596</cve>
<cve>CVE-2017-3634</cve>
<cve>CVE-2017-3459</cve>
<cve>CVE-2001-1255</cve>
<cve>CVE-2014-2435</cve>
<cve>CVE-2016-0650</cve>
<cve>CVE-2017-10379</cve>
<cve>CVE-2016-0616</cve>
<cve>CVE-2015-4905</cve>
<cve>CVE-2012-1703</cve>
<cve>CVE-2005-0709</cve>
<cve>CVE-2010-1848</cve>
<cve>CVE-2016-5624</cve>
<cve>CVE-2002-1809</cve>
<cve>CVE-2015-4792</cve>
<cve>CVE-2016-8327</cve>
<cve>CVE-2016-0661</cve>
<cve>CVE-2014-6469</cve>
<cve>CVE-2012-0484</cve>
<cve>CVE-2017-10286</cve>
<cve>CVE-2016-5635</cve>
<cve>CVE-2000-0981</cve>
<cve>CVE-2014-4207</cve>
<cve>CVE-2013-3801</cve>
<cve>CVE-2013-1502</cve>
<cve>CVE-2015-0439</cve>
<cve>CVE-2013-5767</cve>
<cve>CVE-2016-3615</cve>
<cve>CVE-2012-2749</cve>
<cve>CVE-2013-5908</cve>
<cve>CVE-2016-0644</cve>
<cve>CVE-2015-2617</cve>
<cve>CVE-2017-3645</cve>
<cve>CVE-2017-10165</cve>
<cve>CVE-2015-4879</cve>
<cve>CVE-2008-4098</cve>
<cve>CVE-2017-3273</cve>
<cve>CVE-2014-6551</cve>
<cve>CVE-2017-3256</cve>
<cve>CVE-2010-3682</cve>
<cve>CVE-2012-0495</cve>
<cve>CVE-2016-0655</cve>
<cve>CVE-2010-3840</cve>
<cve>CVE-2016-5629</cve>
<cve>CVE-2012-0115</cve>
<cve>CVE-2012-1688</cve>
<cve>CVE-2014-0437</cve>
<cve>CVE-2013-3812</cve>
<cve>CVE-2012-5627</cve>
<cve>CVE-2017-3639</cve>
<cve>CVE-2015-4769</cve>
<cve>CVE-2015-0391</cve>
<cve>CVE-2013-5860</cve>
<cve>CVE-2015-4730</cve>
<cve>CVE-2017-3600</cve>
<cve>CVE-2015-0374</cve>
<cve>CVE-2015-0411</cve>
<cve>CVE-2016-0666</cve>
<cve>CVE-2010-3676</cve>
<cve>CVE-2012-0489</cve>
<cve>CVE-2017-3529</cve>
<cve>CVE-2010-3834</cve>
<cve>CVE-2013-3806</cve>
<cve>CVE-2016-8290</cve>
<cve>CVE-2016-0649</cve>
<cve>CVE-2015-2639</cve>
<cve>CVE-2014-4274</cve>
<cve>CVE-2017-3453</cve>
<cve>CVE-2016-5443</cve>
<cve>CVE-2009-2446</cve>
<cve>CVE-2015-0385</cve>
<cve>CVE-2006-2753</cve>
<cve>CVE-2016-3440</cve>
<cve>CVE-2013-1552</cve>
<cve>CVE-2016-0610</cve>
<cve>CVE-2015-4862</cve>
<cve>CVE-2015-0405</cve>
<cve>CVE-2016-8284</cve>
<cve>CVE-2015-4890</cve>
<cve>CVE-2014-6463</cve>
<cve>CVE-2017-3464</cve>
<cve>CVE-2016-6664</cve>
<cve>CVE-2014-2440</cve>
<cve>CVE-2014-6500</cve>
<cve>CVE-2016-5612</cve>
<cve>CVE-2017-10384</cve>
<cve>CVE-2014-0420</cve>
<cve>CVE-2015-4910</cve>
<cve>CVE-2013-5882</cve>
<cve>CVE-2015-4752</cve>
<cve>CVE-2017-3309</cve>
<cve>CVE-2016-5437</cve>
<cve>CVE-2015-0433</cve>
<cve>CVE-2015-2611</cve>
<cve>CVE-2010-3839</cve>
<cve>CVE-2006-3081</cve>
<cve>CVE-2014-6491</cve>
<cve>CVE-2014-6474</cve>
<cve>CVE-2017-3650</cve>
<cve>CVE-2014-2451</cve>
<cve>CVE-2016-0595</cve>
<cve>CVE-2017-3633</cve>
<cve>CVE-2017-3458</cve>
<cve>CVE-2014-0431</cve>
<cve>CVE-2012-3147</cve>
<cve>CVE-2014-2434</cve>
<cve>CVE-2015-2568</cve>
<cve>CVE-2017-10378</cve>
<cve>CVE-2015-4904</cve>
<cve>CVE-2015-4800</cve>
<cve>CVE-2012-1702</cve>
<cve>CVE-2017-10311</cve>
<cve>CVE-2013-3839</cve>
<cve>CVE-2016-8289</cve>
<cve>CVE-2014-4240</cve>
<cve>CVE-2015-4791</cve>
<cve>CVE-2017-3244</cve>
<cve>CVE-2013-2395</cve>
<cve>CVE-2015-4895</cve>
<cve>CVE-2016-5634</cve>
<cve>CVE-2012-0120</cve>
<cve>CVE-2013-0375</cve>
<cve>CVE-2013-2378</cve>
<cve>CVE-2012-3158</cve>
<cve>CVE-2014-6505</cve>
<cve>CVE-2017-10268</cve>
<cve>CVE-2012-5615</cve>
<cve>CVE-2016-0505</cve>
<cve>CVE-2016-0643</cve>
<cve>CVE-2016-3614</cve>
<cve>CVE-2015-0438</cve>
<cve>CVE-2016-0609</cve>
<cve>CVE-2015-4757</cve>
<cve>CVE-2017-3644</cve>
<cve>CVE-2008-4097</cve>
<cve>CVE-2016-7440</cve>
<cve>CVE-2014-6496</cve>
<cve>CVE-2006-3486</cve>
<cve>CVE-2013-1492</cve>
<cve>CVE-2015-2661</cve>
<cve>CVE-2016-3521</cve>
<cve>CVE-2010-3681</cve>
<cve>CVE-2017-10296</cve>
<cve>CVE-2006-3469</cve>
<cve>CVE-2013-2389</cve>
<cve>CVE-2012-0494</cve>
<cve>CVE-2016-5628</cve>
<cve>CVE-2017-3638</cve>
<cve>CVE-2012-0114</cve>
<cve>CVE-2013-0386</cve>
<cve>CVE-2013-1512</cve>
<cve>CVE-2016-3588</cve>
<cve>CVE-2017-3238</cve>
<cve>CVE-2013-3811</cve>
<cve>CVE-2016-0654</cve>
<cve>CVE-2016-5507</cve>
<cve>CVE-2017-10279</cve>
<cve>CVE-2015-0503</cve>
<cve>CVE-2012-5096</cve>
<cve>CVE-2016-3495</cve>
<cve>CVE-2017-3320</cve>
<cve>CVE-2012-3197</cve>
<cve>CVE-2014-2484</cve>
<cve>CVE-2008-0226</cve>
<cve>CVE-2011-5049</cve>
<cve>CVE-2016-0665</cve>
<cve>CVE-2017-3649</cve>
<cve>CVE-2012-0488</cve>
<cve>CVE-2013-1523</cve>
<cve>CVE-2016-0648</cve>
<cve>CVE-2010-3833</cve>
<cve>CVE-2012-1735</cve>
<cve>CVE-2013-3805</cve>
<cve>CVE-2013-1506</cve>
<cve>CVE-2015-4833</cve>
<cve>CVE-2015-4816</cve>
<cve>CVE-2018-2767</cve>
<cve>CVE-2018-3054</cve>
<cve>CVE-2018-3056</cve>
<cve>CVE-2018-3058</cve>
<cve>CVE-2018-3060</cve>
<cve>CVE-2018-3061</cve>
<cve>CVE-2018-3062</cve>
<cve>CVE-2018-3063</cve>
<cve>CVE-2018-3064</cve>
<cve>CVE-2018-3065</cve>
<cve>CVE-2018-3066</cve>
<cve>CVE-2018-3067</cve>
<cve>CVE-2018-3070</cve>
<cve>CVE-2018-3073</cve>
<cve>CVE-2018-3074</cve>
<cve>CVE-2018-3075</cve>
<cve>CVE-2018-3077</cve>
<cve>CVE-2018-3078</cve>
<cve>CVE-2018-3079</cve>
<cve>CVE-2018-3080</cve>
<cve>CVE-2018-3082</cve>
<cve>CVE-2018-3084</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #946 - instead of suppressing the whole thing, we will just
suppress specific CVE that are for the server
]]></notes>
<gav regex="true">^(org\.)?postgresql:postgresql:.*$</gav>
<cve>CVE-2016-7048</cve>
<cve>CVE-2018-1115</cve>
<cve>CVE-2017-14798</cve>
<cve>CVE-2017-8806</cve>
<cve>CVE-2006-5540</cve>
<cve>CVE-2006-5542</cve>
<cve>CVE-2007-6600</cve>
<cve>CVE-2007-3279</cve>
<cve>CVE-2016-5423</cve>
<cve>CVE-2005-0244</cve>
<cve>CVE-2006-2314</cve>
<cve>CVE-2005-0246</cve>
<cve>CVE-2005-1410</cve>
<cve>CVE-2006-0678</cve>
<cve>CVE-2002-0972</cve>
<cve>CVE-2005-0227</cve>
<cve>CVE-2002-1402</cve>
<cve>CVE-2004-0977</cve>
<cve>CVE-2013-1899</cve>
<cve>CVE-2003-0901</cve>
<cve>CVE-2010-0733</cve>
<cve>CVE-2010-1447</cve>
<cve>CVE-2002-1642</cve>
<cve>CVE-2006-0553</cve>
<cve>CVE-2002-1400</cve>
<cve>CVE-2007-3280</cve>
<cve>CVE-2017-7484</cve>
<cve>CVE-2009-4034</cve>
<cve>CVE-2017-7486</cve>
<cve>CVE-2012-3489</cve>
<cve>CVE-2009-4136</cve>
<cve>CVE-2014-0061</cve>
<cve>CVE-2015-5288</cve>
<cve>CVE-1999-0862</cve>
<cve>CVE-2014-0063</cve>
<cve>CVE-2014-0065</cve>
<cve>CVE-2007-2138</cve>
<cve>CVE-2002-1397</cve>
<cve>CVE-2007-0556</cve>
<cve>CVE-2002-1399</cve>
<cve>CVE-2006-0105</cve>
<cve>CVE-2016-0766</cve>
<cve>CVE-2010-0442</cve>
<cve>CVE-2014-0067</cve>
<cve>CVE-2002-1657</cve>
<cve>CVE-2017-7548</cve>
<cve>CVE-2010-1975</cve>
<cve>CVE-2012-0866</cve>
<cve>CVE-2012-0868</cve>
<cve>CVE-2013-1903</cve>
<cve>CVE-2013-1901</cve>
<cve>CVE-2016-0768</cve>
<cve>CVE-2017-7546</cve>
<cve>CVE-2009-3231</cve>
<cve>CVE-2016-2193</cve>
<cve>CVE-2006-5541</cve>
<cve>CVE-2016-3065</cve>
<cve>CVE-2007-3278</cve>
<cve>CVE-2007-6601</cve>
<cve>CVE-2016-5424</cve>
<cve>CVE-2006-2313</cve>
<cve>CVE-2005-0245</cve>
<cve>CVE-2007-4769</cve>
<cve>CVE-2005-0247</cve>
<cve>CVE-2009-0922</cve>
<cve>CVE-2002-1401</cve>
<cve>CVE-2012-2655</cve>
<cve>CVE-2010-1169</cve>
<cve>CVE-2012-3488</cve>
<cve>CVE-2010-4015</cve>
<cve>CVE-2016-0773</cve>
<!--cve>CVE-2017-7485</cve> This affects the client -->
<cve>CVE-2007-4772</cve>
<cve>CVE-2014-0060</cve>
<cve>CVE-2014-0062</cve>
<cve>CVE-2010-1170</cve>
<cve>CVE-2014-0064</cve>
<cve>CVE-2015-3165</cve>
<cve>CVE-2009-3229</cve>
<cve>CVE-2007-0555</cve>
<cve>CVE-2002-1398</cve>
<cve>CVE-2000-1199</cve>
<cve>CVE-2013-0255</cve>
<cve>CVE-2010-3433</cve>
<cve>CVE-2014-0066</cve>
<cve>CVE-2004-0547</cve>
<cve>CVE-2014-2669</cve>
<cve>CVE-2013-1900</cve>
<cve>CVE-2005-1409</cve>
<cve>CVE-2002-0802</cve>
<cve>CVE-2013-1902</cve>
<cve>CVE-2017-7547</cve>
<cve>CVE-2012-0867</cve>
<cve>CVE-2012-2143</cve>
<!--cve>CVE-2012-1618</cve> this affects the JDBC -->
<cve>CVE-2015-5289</cve>
<cve>CVE-2009-3230</cve>
<cve>CVE-2007-6067</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #947 - instead of suppressing the whole thing, we will just
suppress specific CVE that are for the server
]]></notes>
<gav regex="true">^com\.microsoft\.sqlserver:(sqljdbc4|mssql-jdbc):.*$</gav>
<cve>CVE-2000-1081</cve>
<cve>CVE-2004-1560</cve>
<cve>CVE-2000-1083</cve>
<cve>CVE-2000-1085</cve>
<cve>CVE-2009-2503</cve>
<cve>CVE-2000-1087</cve>
<cve>CVE-2002-1123</cve>
<cve>CVE-2002-0057</cve>
<cve>CVE-2009-2501</cve>
<cve>CVE-2001-0542</cve>
<cve>CVE-2001-0344</cve>
<cve>CVE-2000-0654</cve>
<cve>CVE-2009-2528</cve>
<cve>CVE-2014-1820</cve>
<cve>CVE-1999-0999</cve>
<cve>CVE-2002-0859</cve>
<cve>CVE-2012-2552</cve>
<cve>CVE-2016-7249</cve>
<cve>CVE-2016-7250</cve>
<cve>CVE-2016-7252</cve>
<cve>CVE-2014-4061</cve>
<cve>CVE-2016-7254</cve>
<cve>CVE-2008-0086</cve>
<cve>CVE-2008-3013</cve>
<cve>CVE-2009-3126</cve>
<cve>CVE-2008-3015</cve>
<cve>CVE-2008-5416</cve>
<cve>CVE-2003-0231</cve>
<cve>CVE-2002-0187</cve>
<cve>CVE-2008-0106</cve>
<cve>CVE-2002-1872</cve>
<cve>CVE-2002-0641</cve>
<cve>CVE-2002-0224</cve>
<cve>CVE-2002-1138</cve>
<cve>CVE-2002-0643</cve>
<cve>CVE-2000-0202</cve>
<cve>CVE-2000-0402</cve>
<cve>CVE-2002-0624</cve>
<cve>CVE-2002-0645</cve>
<cve>CVE-2002-0649</cve>
<cve>CVE-2007-4814</cve>
<cve>CVE-2007-5090</cve>
<cve>CVE-2015-1761</cve>
<cve>CVE-2011-1280</cve>
<cve>CVE-2017-8516</cve>
<cve>CVE-2015-1763</cve>
<cve>CVE-2000-1082</cve>
<cve>CVE-2009-2500</cve>
<cve>CVE-2000-1084</cve>
<cve>CVE-2009-2502</cve>
<cve>CVE-2000-1086</cve>
<cve>CVE-2002-0154</cve>
<cve>CVE-2002-1145</cve>
<cve>CVE-2000-1088</cve>
<cve>CVE-2000-0199</cve>
<cve>CVE-2002-0056</cve>
<cve>CVE-2012-0158</cve>
<cve>CVE-2009-2504</cve>
<cve>CVE-2002-0650</cve>
<cve>CVE-2002-1981</cve>
<cve>CVE-2001-0509</cve>
<cve>CVE-2016-7251</cve>
<cve>CVE-2016-7253</cve>
<cve>CVE-2008-0085</cve>
<cve>CVE-2008-3012</cve>
<cve>CVE-2008-3014</cve>
<cve>CVE-1999-1556</cve>
<cve>CVE-2003-0230</cve>
<cve>CVE-2002-0186</cve>
<cve>CVE-2003-0232</cve>
<cve>CVE-2015-1762</cve>
<cve>CVE-2008-0107</cve>
<cve>CVE-2002-0982</cve>
<cve>CVE-2002-1137</cve>
<cve>CVE-2002-0642</cve>
<cve>CVE-2002-0721</cve>
<cve>CVE-2002-0644</cve>
<cve>CVE-2000-0485</cve>
<cve>CVE-2012-1856</cve>
<cve>CVE-2000-0603</cve>
<cve>CVE-2001-0879</cve>
<cve>CVE-2002-0729</cve>
<cve>CVE-2007-5348</cve>
<cve>CVE-2008-4110</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #1662
]]></notes>
<gav regex="true">^net\.sourceforge\.jtds:jtds:.*$</gav>
<cpe>cpe:/a:microsoft:sql_server</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #999 - instead of suppressing the whole thing, we will just
suppress specific CVE that are for the server
]]></notes>
<gav regex="true">^org\.mariadb\.jdbc:mariadb-java-client:.*$</gav>
<cve>CVE-2016-5440</cve>
<cve>CVE-2016-5584</cve>
<cve>CVE-2014-6500</cve>
<cve>CVE-2016-5444</cve>
<cve>CVE-2014-6555</cve>
<cve>CVE-2016-0597</cve>
<cve>CVE-2016-5625</cve>
<cve>CVE-2014-6559</cve>
<cve>CVE-2016-0655</cve>
<cve>CVE-2016-5627</cve>
<cve>CVE-2016-5629</cve>
<cve>CVE-2012-5627</cve>
<cve>CVE-2016-3492</cve>
<cve>CVE-2016-6663</cve>
<cve>CVE-2016-3452</cve>
<cve>CVE-2016-5630</cve>
<cve>CVE-2016-5632</cve>
<cve>CVE-2017-3302</cve>
<cve>CVE-2016-3477</cve>
<cve>CVE-2016-0641</cve>
<cve>CVE-2014-6464</cve>
<cve>CVE-2012-5611</cve>
<cve>CVE-2016-0666</cve>
<cve>CVE-2012-5613</cve>
<cve>CVE-2016-0668</cve>
<cve>CVE-2012-5615</cve>
<cve>CVE-2016-0505</cve>
<cve>CVE-2016-0649</cve>
<cve>CVE-2016-0647</cve>
<cve>CVE-2014-6507</cve>
<cve>CVE-2016-0609</cve>
<cve>CVE-2016-5634</cve>
<cve>CVE-2016-0643</cve>
<cve>CVE-2016-7440</cve>
<cve>CVE-2014-6494</cve>
<cve>CVE-2015-3152</cve>
<cve>CVE-2014-6496</cve>
<cve>CVE-2016-0650</cve>
<cve>CVE-2016-0596</cve>
<cve>CVE-2016-0598</cve>
<cve>CVE-2016-0610</cve>
<cve>CVE-2016-5626</cve>
<cve>CVE-2012-4414</cve>
<cve>CVE-2016-5507</cve>
<cve>CVE-2016-5609</cve>
<cve>CVE-2016-0616</cve>
<cve>CVE-2016-5628</cve>
<cve>CVE-2016-3521</cve>
<cve>CVE-2016-6662</cve>
<cve>CVE-2016-3495</cve>
<cve>CVE-2016-6664</cve>
<cve>CVE-2016-5631</cve>
<cve>CVE-2016-2047</cve>
<cve>CVE-2016-5612</cve>
<cve>CVE-2016-0640</cve>
<cve>CVE-2012-2122</cve>
<cve>CVE-2016-3459</cve>
<cve>CVE-2012-5612</cve>
<cve>CVE-2016-0644</cve>
<cve>CVE-2012-5614</cve>
<cve>CVE-2014-0001</cve>
<cve>CVE-2016-0546</cve>
<cve>CVE-2013-1861</cve>
<cve>CVE-2016-0600</cve>
<cve>CVE-2016-0606</cve>
<cve>CVE-2016-0646</cve>
<cve>CVE-2016-0608</cve>
<cve>CVE-2016-0648</cve>
<cve>CVE-2016-3615</cve>
<cve>CVE-2016-5635</cve>
<cve>CVE-2016-5633</cve>
<cve>CVE-2014-6469</cve>
<cve>CVE-2014-6491</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #943
]]></notes>
<gav regex="true">^cn\.guoyukun\.jdbc:db2jcc_license_cu:.*$</gav>
<cpe>cpe:/a:ibm:db2</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #943 - instead of suppressing the whole thing, we will just
suppress specific CVE that are for the server
]]></notes>
<gav regex="true">^cn\.guoyukun\.jdbc:db2jcc:.*$</gav>
<cve>CVE-2007-2582</cve>
<cve>CVE-2012-2194</cve>
<cve>CVE-2008-0696</cve>
<cve>CVE-2009-4327</cve>
<cve>CVE-2013-3475</cve>
<cve>CVE-2009-1239</cve>
<cve>CVE-2014-6159</cve>
<cve>CVE-2010-3740</cve>
<cve>CVE-2012-3324</cve>
<cve>CVE-2012-0711</cve>
<cve>CVE-2017-1519</cve>
<cve>CVE-2015-1935</cve>
<cve>CVE-2009-4330</cve>
<cve>CVE-2014-3095</cve>
<cve>CVE-2009-4334</cve>
<cve>CVE-2005-4870</cve>
<cve>CVE-2010-3193</cve>
<cve>CVE-2013-4033</cve>
<cve>CVE-2008-6820</cve>
<cve>CVE-2016-5995</cve>
<cve>CVE-2009-4438</cve>
<cve>CVE-2010-3197</cve>
<cve>CVE-2015-0157</cve>
<cve>CVE-2007-1228</cve>
<cve>CVE-2017-1105</cve>
<cve>CVE-2012-2180</cve>
<cve>CVE-2010-3734</cve>
<cve>CVE-2010-3738</cve>
<cve>CVE-2012-0709</cve>
<cve>CVE-2008-4691</cve>
<cve>CVE-2009-3473</cve>
<cve>CVE-2017-1150</cve>
<cve>CVE-2008-2154</cve>
<cve>CVE-2014-6210</cve>
<cve>CVE-2007-3676</cve>
<cve>CVE-2008-0697</cve>
<cve>CVE-2009-4328</cve>
<cve>CVE-2012-0712</cve>
<cve>CVE-2009-4331</cve>
<cve>CVE-2009-4335</cve>
<cve>CVE-2005-4871</cve>
<cve>CVE-2010-3194</cve>
<cve>CVE-2008-6821</cve>
<cve>CVE-2009-4439</cve>
<cve>CVE-2008-3958</cve>
<cve>CVE-2012-1796</cve>
<cve>CVE-2010-3731</cve>
<cve>CVE-2009-1905</cve>
<cve>CVE-2011-0731</cve>
<cve>CVE-2014-4805</cve>
<cve>CVE-2010-3735</cve>
<cve>CVE-2015-1922</cve>
<cve>CVE-2014-0907</cve>
<cve>CVE-2008-4692</cve>
<cve>CVE-2009-2860</cve>
<cve>CVE-2003-1051</cve>
<cve>CVE-2009-4325</cve>
<cve>CVE-2006-4257</cve>
<cve>CVE-2012-2196</cve>
<cve>CVE-2017-1451</cve>
<cve>CVE-2008-0698</cve>
<cve>CVE-2009-4329</cve>
<cve>CVE-2013-6744</cve>
<cve>CVE-2008-1966</cve>
<cve>CVE-2011-1373</cve>
<cve>CVE-2005-4869</cve>
<cve>CVE-2016-0211</cve>
<cve>CVE-2017-1434</cve>
<cve>CVE-2010-1560</cve>
<cve>CVE-2011-4061</cve>
<cve>CVE-2014-8910</cve>
<cve>CVE-2012-0713</cve>
<cve>CVE-2017-1438</cve>
<cve>CVE-2017-1297</cve>
<cve>CVE-2009-4332</cve>
<cve>CVE-2005-2073</cve>
<cve>CVE-2010-3195</cve>
<cve>CVE-2017-1520</cve>
<cve>CVE-2013-5466</cve>
<cve>CVE-2008-1998</cve>
<cve>CVE-2009-2858</cve>
<cve>CVE-2008-3959</cve>
<cve>CVE-2012-1797</cve>
<cve>CVE-2010-3732</cve>
<cve>CVE-2014-6209</cve>
<cve>CVE-2009-1906</cve>
<cve>CVE-2012-4826</cve>
<cve>CVE-2010-3736</cve>
<cve>CVE-2011-0757</cve>
<cve>CVE-2011-1846</cve>
<cve>CVE-2007-5090</cve>
<cve>CVE-2010-3474</cve>
<cve>CVE-2013-6717</cve>
<cve>CVE-2009-3471</cve>
<cve>CVE-2008-4693</cve>
<cve>CVE-2007-5652</cve>
<cve>CVE-2003-1052</cve>
<cve>CVE-2009-4326</cve>
<cve>CVE-2017-1452</cve>
<cve>CVE-2012-2197</cve>
<cve>CVE-2008-0699</cve>
<cve>CVE-2010-0472</cve>
<cve>CVE-2017-1439</cve>
<cve>CVE-2012-0710</cve>
<cve>CVE-2014-0919</cve>
<cve>CVE-2009-4150</cve>
<cve>CVE-2014-3094</cve>
<cve>CVE-2009-4333</cve>
<cve>CVE-2013-4032</cve>
<cve>CVE-2010-3196</cve>
<cve>CVE-2007-1027</cve>
<cve>CVE-2015-1883</cve>
<cve>CVE-2014-8901</cve>
<cve>CVE-2010-3475</cve>
<cve>CVE-2010-0462</cve>
<cve>CVE-2009-2859</cve>
<cve>CVE-2010-3733</cve>
<cve>CVE-2010-3737</cve>
<cve>CVE-2011-1847</cve>
<cve>CVE-2009-3472</cve>
<cve>CVE-2014-6097</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per #1191
]]></notes>
<gav regex="true">^org\.xerial:sqlite-jdbc:.*$</gav>
<cve>CVE-2016-6153</cve>
<cve>CVE-2017-10989</cve>
<cve>CVE-2018-8740</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positive in io.vertx:vertx-config-kubernetes-configmap
]]></notes>
<gav regex="true">^io\.vertx:vertx-config-kubernetes-configmap:.*$</gav>
<cpe>cpe:/a:kubernetes:kubernetes</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positive per #1056
]]></notes>
<gav regex="true">^io\.fabric8:kubernetes-model:.*$</gav>
<cpe>cpe:/a:kubernetes:kubernetes</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positive on io.gitlab.arturbosch caused by cpe:/a:gitlab
]]></notes>
<gav regex="true">^io\.gitlab\.arturbosch\.detekt:detekt-.+:.*$</gav>
<cpe>cpe:/a:gitlab:gitlab</cpe>
</suppress>
</suppressions>