.nvd-suppressions.xml

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
  <suppress>
   <notes><![CDATA[
   file name: jackson-databind-2.15.2.jar

   This is only triggered if you feed jackson circular input. See
   https://github.com/FasterXML/jackson-databind/issues/3972.
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
   <cve>CVE-2023-35116</cve>
  </suppress>

  <suppress>
   <notes><![CDATA[
   file name: snakeyaml-1.33.jar

   This only impacts deserialization, and we only serialize yaml. We would have
   to upgrade to SnakeYAML 2.0 to address this, and we use SnakeYAML via
   ring-middleware-format, which does not support v2.0.

   See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in
   for a discussion of the CVE.

   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
   <cve>CVE-2022-1471</cve>
  </suppress>

  <suppress>
     <notes><![CDATA[
     This CVE only impacts programs using Clojure < 1.9.0, and gets reported for any jar
     that has a lower Clojure in its pom, even if the project being checked is using a
     newer Clojure (as we are).
     ]]></notes>
     <cve>CVE-2017-20189</cve>
  </suppress>

  <suppress>
     <notes><![CDATA[
     This CVE only impacts usage of Jetty's HttpURI directly, and we don't use it. We can't
     upgrade to get rid of this CVE as it requires upgrading to Jetty 12, which ring does not
     yet support (we are are 11 currently).
     ]]></notes>
     <cve>CVE-2024-6763</cve>
  </suppress>

  <suppress>
    <notes><![CDATA[
    This CVE only impacts us if we decompress user-supplied data and use a shared
    decompression buffer, and we do neither. We only use aircompressor via nippy.
    ]]></notes>
    <cve>CVE-2025-67721</cve>
  </suppress>

</suppressions>