Merge pull request #133 from yetanalytics/clojure-nvd-suppression

CVE-2017-20189 is false positive for most libs with clojure name
yetanalytics · Jan 31, 2024 · 9fe286b · 9fe286b
2 parents c0b776c + d12b21f
commit 9fe286b
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/.nvd/suppression.xml b/.nvd/suppression.xml
@@ -1,4 +1,12 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-  <!-- No suppressions needed at the moment -->
+    <suppress>
+        <notes><![CDATA[
+            all packages except for org.clojure/clojure
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven\/(?!org\.clojure\/clojure).*$</packageUrl>
+        <cpe>cpe:/a:clojure:clojure</cpe>
+        <cve>CVE-2017-20189</cve>
+    </suppress>
 </suppressions>
+