DependencyCheck/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression">
    <suppress base="true">
        <notes><![CDATA[
        This suppresses false positives identified on spring security.
        ]]></notes>
        <gav regex="true">org\.springframework\.security:spring.*</gav>
        <cpe>cpe:/a:mod_security:mod_security</cpe>
        <cpe>cpe:/a:springsource:spring_framework</cpe>
        <cpe>cpe:/a:vmware:springsource_spring_framework</cpe>
    </suppress>
    <suppress base="true">
        <notes><![CDATA[
        This suppresses false positives identified on spring security.
        ]]></notes>
        <filePath regex="true">.*spring-security-[^\\/]*\.jar$</filePath>
        <cpe>cpe:/a:mod_security:mod_security</cpe>
        <cpe>cpe:/a:springsource:spring_framework</cpe>
        <cpe>cpe:/a:vmware:springsource_spring_framework</cpe>
        <cpe>cpe:/a:pivotal:spring_framework</cpe>
    </suppress>
    <suppress base="true">
        <notes><![CDATA[
        This suppreses additional false positives for the xstream library that occur because spring has a copy of this library.
            com.springsource.com.thoughtworks.xstream-1.3.1.jar
        ]]></notes>
        <gav regex="true">com\.thoughtworks\.xstream:xstream:.*</gav>
        <cpe>cpe:/a:springsource:spring_framework</cpe>
    </suppress>
    <suppress base="true">
        <notes><![CDATA[
        Suppresses false positives on velocity tools.
        ]]></notes>
        <gav regex="true">org\.apache\.velocity:velocity-tools:.*</gav>
        <cpe>cpe:/a:apache:struts</cpe>
    </suppress>
    <suppress base="true">
        <notes><![CDATA[
        Sandbox is a php blog platform and should not be flagged as a CPE for java or .net dependencies.
        ]]></notes>
        <filePath regex="true">.*\.(jar|dll|exe|ear|war|pom)</filePath>
        <cpe>cpe:/a:sandbox:sandbox</cpe>
    </suppress>
    <suppress base="true">
        <notes><![CDATA[
        Suppress false positives around dash.
        ]]></notes>
        <filePath regex="true">.*\.(jar|ear|war|pom)</filePath>
        <cpe>cpe:/a:dash:dash</cpe>
    </suppress>
    <suppress base="true">
        <notes><![CDATA[
        Suppresses false positives on Jersey core client.
        ]]></notes>
        <gav regex="true">(com\.sun\.jersey|org\.glassfish\.jersey\.core):jersey-(client|common):.*</gav>
        <cpe>cpe:/a:oracle:glassfish</cpe>
        <cpe>cpe:/a:oracle:oracle_client</cpe>
    </suppress>
    <suppress base="true">
        <notes><![CDATA[
        Suppresses false positives on glassfish
        ]]></notes>
        <gav regex="true">org\.glassfish:.*(json|faces).*</gav>
        <cpe>cpe:/a:oracle:glassfish</cpe>
    </suppress>
    <suppress base="true">
        <notes><![CDATA[
        Suppresses false positives on the grizzly-framework
        ]]></notes>
        <gav regex="true">org\.glassfish\.grizzly:grizzly-framework:.*</gav>
        <cpe>cpe:/a:oracle:glassfish</cpe>
    </suppress>
    <suppress base="true">
        <notes><![CDATA[
        Suppresses false positives on the grizzly-framework
        ]]></notes>
        <gav regex="true">org\.forgerock\.opendj:opendj-ldap-sdk:.*</gav>
        <cpe>cpe:/a:ldap_project:ldap</cpe>
    </suppress>
    <suppress base="true">
        <notes><![CDATA[
        Suppresses false positives on the org.opensaml:xmltooling
        ]]></notes>
        <gav regex="true">org\.opensaml:xmltooling:.*</gav>
        <cpe>cpe:/a:shibboleth:opensaml</cpe>
    </suppress>
    <suppress base="true">
        <notes><![CDATA[
        Suppresses false positives on the org.opensaml:openws
        ]]></notes>
        <gav regex="true">org\.opensaml:openws:.*</gav>
        <cpe>cpe:/a:internet2:opensaml</cpe>
    </suppress>
    <suppress base="true">
        <notes><![CDATA[
        Suppresses false positives on the org.opensaml:xmltooling
        ]]></notes>
        <gav regex="true">org\.opensaml:xmltooling:.*</gav>
        <cpe>cpe:/a:internet2:opensaml</cpe>
    </suppress>
    <suppress base="true">
        <notes><![CDATA[
        Suppresses false positives for python:python.
        ]]></notes>
        <filePath regex="true">.*(\.(whl|egg)|\b(site|dist)-packages\b.*)</filePath>
        <cpe>cpe:/a:python:python</cpe>
        <cpe>cpe:/a:python_software_foundation:python</cpe>
        <cpe>cpe:/a:class:class</cpe>
        <cpe>cpe:/a:file:file</cpe>
        <cpe>cpe:/a:gnupg:gnupg</cpe>
        <cpe>cpe:/a:mongodb:mongodb</cpe>
        <cpe>cpe:/a:mozilla:mozilla</cpe>
        <cpe>cpe:/a:openssl:openssl</cpe>
        <cpe>cpe:/a:sendfile:sendfile</cpe>
        <cpe>cpe:/a:sendmail:sendmail</cpe>
        <cpe>cpe:/a:yacc:yacc</cpe>
    </suppress>
    <suppress base="true">
        <notes><![CDATA[
        Suppresses false positives for com.google:.*
        ]]></notes>
        <gav regex="true">com\.google(\.[a-zA-Z0-9_-]+)?:.*:.*</gav>
        <cpe>cpe:/a:google:desktop</cpe>
    </suppress>
    <suppress base="true">
        <notes><![CDATA[
        Suppresses false positives for non-android JARs from google.
        ]]></notes>
        <gav regex="true">com\.google\.((?!android).)*:.*</gav>
        <cpe>cpe:/a:google:android</cpe>
        <cpe>cpe:/a:google:android_api</cpe>
    </suppress>
    <suppress base="true">
        <notes><![CDATA[
        Suppresses false positives for android JARs in g:com.google.android
        ]]></notes>
        <gav regex="true">com\.google\.android\..*:.*</gav>
        <cpe>cpe:/a:google:android</cpe>
        <cpe>cpe:/a:google:android_api</cpe>
        <cpe>cpe:/a:google:google</cpe>
    </suppress>
    <suppress base="true">
        <notes><![CDATA[
        Suppresses incorrect identification for bing ads.
        ]]></notes>
        <gav regex="true">com.microsoft.bingads:microsoft.bingads:.*</gav>
        <cpe>cpe:/a:microsoft:bing</cpe>
    </suppress>
    <suppress base="true">
        <notes><![CDATA[
        Oracle Jersey is flagged as glassfish.
        ]]></notes>
        <gav regex="true">.*jersey.*</gav>
        <cpe>cpe:/a:oracle:glassfish_server</cpe>
        <cpe>cpe:/a:oracle:glassfish</cpe>
    </suppress>
    <suppress base="true">
        <notes><![CDATA[
        Oracle HK2 is flagged as glassfish.
        ]]></notes>
        <gav regex="true">.*\bhk2\b.*</gav>
        <cpe>cpe:/a:oracle:glassfish</cpe>
    </suppress>
    <suppress base="true">
        <notes><![CDATA[
        file name: petals-se-camel-1.0.0.jar - false positive for apache camel.
        ]]></notes>
        <gav regex="true">org.ow2.petals:petals-se-camel:.*</gav>
        <cpe>cpe:/a:apache:camel</cpe>
    </suppress>
    <suppress base="true">
        <notes><![CDATA[
        Mina gets flagged as apache-ssl
        ]]></notes>
        <gav regex="true">org.apache.mina:mina.*</gav>
        <cpe>cpe:/a:apache-ssl:apache-ssl</cpe>
    </suppress>
    <suppress base="true">
        <notes><![CDATA[
        Woden gets flagged as apache-ssl
        ]]></notes>
        <gav regex="true">org.apache.woden:woden.*</gav>
        <cpe>cpe:/a:apache-ssl:apache-ssl</cpe>
    </suppress>
    <suppress base="true">
        <notes><![CDATA[
        spec gets flagged as the implementation.
        ]]></notes>
        <gav regex="true">org.apache.geronimo.specs:.*</gav>
        <cpe>cpe:/a:apache:geronimo</cpe>
    </suppress>
</suppressions>