Ignore CVE false-positive for spring-web 6.1.14 (#928)

labkey-tchad · web-flow · commit aec0270994a8 · 2024-11-18T16:40:39.000-08:00
Only 5.3.0 - 5.3.41 are affected: https://spring.io/security/cve-2024-38828
diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml
@@ -369,5 +369,14 @@
     </suppress>
     <!-- end of glassfish false positive suppressions -->
 
+    <!-- False positive. Only 5.3.0 - 5.3.41 are affected:
+     https://spring.io/security/cve-2024-38828 -->
+    <suppress>
+        <notes><![CDATA[
+   file name: spring-web-6.1.14.jar
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.springframework/spring-web@.*$</packageUrl>
+        <vulnerabilityName>CVE-2024-38828</vulnerabilityName>
+    </suppress>
 </suppressions>
 
