chore(sec): add false positive suppression for stax2-api

The origin of CVE-2022-40152 is chaotic at best. It first popped up in x-stream/xstream#304. There was a problem with Woodstox, which was resolved for version 6.4.0 in FasterXML/woodstox#160. Now the CVE is reported on the *API* package, not the implementation. We're safe here and can suppress the CPE as false positive.
gdcc · Feb 9, 2023 · 5c79194 · 5c79194
1 parent 06f85e9
commit 5c79194
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 1 deletion.
diff --git a/.github/workflows/maven-security.yml b/.github/workflows/maven-security.yml
@@ -26,7 +26,7 @@ jobs:
                   key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
                   restore-keys: ${{ runner.os }}-m2
             - name: Scan with OWASP
-              run: mvn -B -Powasp compile dependency-check:check -pl '!report'
+              run: mvn -B -Powasp compile dependency-check:check -pl '!report,!xoai-data-provider-tck'
             - name: Upload scan results as SARIF report to GitHub Security Tab
               uses: github/codeql-action/upload-sarif@v2
               if: always() # do not skip this step if OWASP fails the mvn build

diff --git a/owaspSuppression.xml b/owaspSuppression.xml
@@ -1,3 +1,14 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+
+    <suppress base="true">
+        <notes>
+            <![CDATA[
+            False positive, as stax2-api is not the implementation and woodstox has been fixed with v6.4.0
+            ]]>
+        </notes>
+        <packageUrl>pkg:maven/org.codehaus.woodstox/stax2-api@4.2.1</packageUrl>
+        <cve>CVE-2022-40152</cve>
+    </suppress>
+
 </suppressions>