Fix OWASP suppression file
Closed this issue · 0 comments
ioggstream commented
I expect
From the suppression file:
- remove unused libraries https://github.com/teamdigitale/dati-semantic-lodview/blob/master/config/dependency-check/dependency-check-known-issues.xml
- add cpe:2.3:a:springsource:spring_framework:5.3.23
Example
<suppress>
<notes><![CDATA[
file name: spring_framework-5.3.23.jar
]]></notes>
<cve>CVE-2016-1000027</cve>
</suppress>
Note
The vulnerability is related to an unused class spring-projects/spring-framework#24434 (comment)
There is no use direct usage of org.springframework.remoting.httpinvoker.* so similarly to https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1000027 we can suppress this CVE.