symphony-bdk-java/allow-list.xml at main · finos/symphony-bdk-java · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
    <suppress>
        <notes><![CDATA[
          Example project: bdk-multi-instances-example: hazelcast: no fix available
          ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.json/json@.*$</packageUrl>
        <cve>CVE-2022-45688</cve>
        <cve>CVE-2023-5072</cve>
    </suppress>
    <suppress>
        <notes><![CDATA[
          From SpringBoot bom dependency
          ]]></notes>
        <gav>com.jayway.jsonpath:json-path:2.8.0</gav>
        <cve>CVE-2023-51074</cve>
    </suppress>
    <suppress>
        <notes><![CDATA[
          False positive: CVE-2020-29582 was fixed in Kotlin 1.4.21. The NVD CPE entry matches
          all kotlin 1.x versions; we're on 1.9.25 (transitive from Spring Boot) which is not affected.
          ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.jetbrains\.kotlin/kotlin-stdlib(-jdk7|-jdk8|-common)?@.*$</packageUrl>
        <cve>CVE-2020-29582</cve>
    </suppress>
    <suppress>
        <notes><![CDATA[
          Netty 4.1.135.Final is the last release in the 4.1.x line; no patch exists for CVE-2026-42582.
          Spring Boot 3.5.15 (the latest 3.5.x) pins Netty 4.1.135.Final. Suppressing pending either a
          Netty 4.1.136+ fix or a Spring Boot upgrade to a version that ships a patched Netty.
          ]]></notes>
        <packageUrl regex="true">^pkg:maven/io\.netty/netty.*@.*$</packageUrl>
        <cve>CVE-2026-42582</cve>
    </suppress>
    <suppress>
        <notes><![CDATA[
          handlebars.java 4.5.0 still bundles handlebars-v4.7.7.js as a resource. We use the
          Java-native handlebars engine (symphony-bdk-template-handlebars), not the JS engine,
          so the bundled JS file is not executed and these JS-side CVEs are not reachable.
          ]]></notes>
        <packageUrl regex="true">^pkg:javascript/handlebars@.*$</packageUrl>
        <cve>CVE-2026-33916</cve>
        <cve>CVE-2026-33937</cve>
        <cve>CVE-2026-33938</cve>
        <cve>CVE-2026-33939</cve>
        <cve>CVE-2026-33940</cve>
        <cve>CVE-2026-33941</cve>
        <vulnerabilityName>GHSA-7rx3-28cr-v5wh</vulnerabilityName>
        <vulnerabilityName>GHSA-442j-39wm-28r2</vulnerabilityName>
    </suppress>
</suppressions>