chore: update suppressions for new false positives (#253)

natedanner · web-flow · commit 5fe2ccf68b84 · 2022-12-08T14:13:02.000-08:00
diff --git a/suppressions.xml b/suppressions.xml
@@ -1,12 +1,22 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-    <suppress until="2022-11-12Z">
+    <suppress until="2023-01-07Z">
         <notes><![CDATA[
-            file name: jackson-databind-2.13.4.jar
-            sev:HIGH
-            In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
+        file name: woodstox-core-6.3.1.jar
+        Severity: HIGH
+        False positive. We do not use woodstox and it will be updated with the next spring cloud
+        dependencies.
+    ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.fasterxml\.woodstox/woodstox\-core@.*$</packageUrl>
+        <vulnerabilityName>CVE-2022-40152</vulnerabilityName>
+    </suppress>
+    <suppress until="2023-01-07Z">
+        <notes><![CDATA[
+            file name: snakeyaml-1.33.jar
+            Severity: HIGH
+            False positive: We are not parsing untrusted user input
         ]]></notes>
-        <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
-        <cve>CVE-2022-42003</cve>
+        <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
+        <cve>CVE-2022-1471</cve>
     </suppress>
 </suppressions>
