Ignore CVE false-positive for spring-web 6.1.14 (#928)

labkey-tchad · labkey-susanh · commit 41d4c88d4ec0 · 2024-12-26T12:39:01.000-08:00
Only 5.3.0 - 5.3.41 are affected: https://spring.io/security/cve-2024-38828
diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml
@@ -369,6 +369,15 @@
     </suppress>
     <!-- end of glassfish false positive suppressions -->
 
+    <!-- False positive. Only 5.3.0 - 5.3.41 are affected:
+     https://spring.io/security/cve-2024-38828 -->
+    <suppress>
+        <notes><![CDATA[
+   file name: spring-web-6.1.14.jar
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.springframework/spring-web@.*$</packageUrl>
+        <vulnerabilityName>CVE-2024-38828</vulnerabilityName>
+    </suppress>
     <!-- We don't use the sun.io.useCanonCaches setting referenced by this CVE.  -->
     <suppress>
         <notes><![CDATA[
