JCL-392: excluded jackson-databind (#543)

timea-solid · web-flow · commit ce1876129fea · 2023-06-20T17:22:39.000+02:00
* supression of CVE-2023-35116
diff --git a/build-tools/owasp/suppressions.xml b/build-tools/owasp/suppressions.xml
@@ -21,6 +21,14 @@
     <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
     <cve>CVE-2022-42004</cve>
   </suppress>
+  <suppress>
+    <notes><![CDATA[
+        CWE-121 Stack-based Buffer Overflow,
+        ** DISPUTED ** NOTE: the vendor's perspective is that the product is not intended for use with untrusted input.
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
+    <cve>CVE-2023-35116</cve>
+  </suppress>
   <suppress>
     <notes><![CDATA[
         Payara is not a dependency of ESS
diff --git a/test/pom.xml b/test/pom.xml
@@ -47,10 +47,10 @@
             <groupId>commons-fileupload</groupId>
             <artifactId>commons-fileupload</artifactId>
         </exclusion>
-      </exclusions>
-    </dependency>
     <!-- transitive dependency via wiremock -->
     <!-- when wiremock is updated beyond 2.35, this can be removed -->
+      </exclusions>
+    </dependency>
     <dependency>
       <groupId>net.minidev</groupId>
       <artifactId>json-smart</artifactId>
