Add false positive for CVE-2022-25878 in protobufjs 6.11.3

OSSIndex/vulns#305
martin-traverse · Jul 1, 2022 · 979df5f · 979df5f
1 parent fb4df97
commit 979df5f
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 1 deletion.
diff --git a/dev/compliance/owasp-false-positives.xml b/dev/compliance/owasp-false-positives.xml
@@ -17,6 +17,9 @@
 
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
 
+
+    <!-- Java platform false positives -->
+
     <!-- flyway-mysql driver is detected as part of MySQL -->
     <suppress>
         <packageUrl regex="true">^pkg:maven/org\.flywaydb/flyway\-mysql@.*$</packageUrl>
@@ -43,4 +46,15 @@
         <vulnerabilityName>CVE-2018-14335</vulnerabilityName>
     </suppress>
 
+
+    <!-- Web API false positives -->
+
+    <!-- Vulnerability is fixed in 11.6.3, but still recorded as a vulnerability in Sonatype -->
+    <!-- https://github.com/OSSIndex/vulns/issues/305 -->
+
+    <suppress>
+        <packageUrl regex="true">^pkg:npm/protobufjs@6\.11\.3$</packageUrl>
+        <vulnerabilityName>CVE-2022-25878</vulnerabilityName>
+    </suppress>
+
 </suppressions>
diff --git a/tracdap-api/packages/web/package.json b/tracdap-api/packages/web/package.json
@@ -34,7 +34,7 @@
     "tracVersion:windows": "for /f %v in ('powershell -ExecutionPolicy Bypass -File ..\\..\\..\\dev\\version.ps1') do npm version \"%v\"",
     "tracVersion:posix": "npm version `../../../dev/version.sh`",
     "buildApi": "node api_builder.js",
-    "compliance-owasp": "owasp-dependency-check --project \"tracdap-web-api\" --failOnCVSS 4 --data ../../../build/compliance-cache/nvd_web_api --out ../../../build/compliance/web-api-owasp/",
+    "compliance-owasp": "owasp-dependency-check --project \"tracdap-web-api\" --suppression ../../../dev/compliance/owasp-false-positives.xml --failOnCVSS 4 --data ../../../build/compliance-cache/nvd_web_api --out ../../../build/compliance/web-api-owasp/",
     "compliance-licenses": "license-checker-rseidelsohn --onlyAllow \"MIT; Apache-2.0; BSD; BSD-3-Clause; ISC; BSD-2-Clause; Unlicense\" --excludePackages \"spdx-exceptions;spdx-license-ids\" --json --out ../../../build/compliance/web-api-licenses/license-report.json",
     "compliance-audit": "npm audit > ../../../build/compliance/web-api-npm-audit/npm-audit.txt"
   }