chore: suppress jackson-databind (#133)

natedanner · web-flow · commit e7a56236c5bf · 2022-10-17T09:08:33.000-07:00
diff --git a/build.gradle.kts b/build.gradle.kts
@@ -42,6 +42,7 @@ configure<nebula.plugin.release.git.base.ReleasePluginExtension> {
 
 dependencyCheck {
     analyzers.assemblyEnabled = false
+    suppressionFile = "suppressions.xml"
     failBuildOnCVSS = 9.0F
 }
 
diff --git a/suppressions.xml b/suppressions.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+    <suppress until="2022-11-17Z">
+        <notes><![CDATA[
+                file name: jackson-databind-2.13.4.jar
+                sev:HIGH
+                In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
+            ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@2.13.4.*$</packageUrl>
+        <cve>CVE-2022-42003</cve>
+    </suppress>
+</suppressions>

Original file line number	Diff line number	Diff line change
`@@ -42,6 +42,7 @@ configure<nebula.plugin.release.git.base.ReleasePluginExtension> {`
`42`	`42`
`43`	`43`	`dependencyCheck {`
`44`	`44`	`analyzers.assemblyEnabled = false`
	`45`	`+ suppressionFile = "suppressions.xml"`
`45`	`46`	`failBuildOnCVSS = 9.0F`
`46`	`47`	`}`
`47`	`48`