Merge pull request #268 from bingenito/cve-allow-list-updates

bingenito · web-flow · commit 866b5a965227 · 2026-03-27T09:54:12.000-04:00
fix: update CVE suppression allow-list for JsonPointer.Net false positive
diff --git a/.cve/allow-list.xml b/.cve/allow-list.xml
@@ -2,32 +2,17 @@
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
 <suppress>
    <notes><![CDATA[
-   file name: Finos.Fdc3.NewtonsoftJson.Tests.csproj
-   ]]></notes>
-   <cve>CVE-2022-25921</cve>
-</suppress>
-<suppress>
-   <notes><![CDATA[
-   file name: Finos.Fdc3.NewtonsoftJson.csproj
-   ]]></notes>
-   <cve>CVE-2022-25921</cve>
-</suppress>
-<suppress>
-   <notes><![CDATA[
-   file name: Finos.Fdc3.NewtonsoftJson.Tests.csproj
+   False positive: Newtonsoft.Json is incorrectly matched to the npm json package CPE.
    ]]></notes>
    <cpe>cpe:/a:json_project:json</cpe>
 </suppress>
 <suppress>
    <notes><![CDATA[
-   file name: Finos.Fdc3.NewtonsoftJson.Tests.csproj
-   ]]></notes>
-   <cpe>cpe:/a:morgan-json_project:morgan-json</cpe>
-</suppress>
-<suppress>
-   <notes><![CDATA[
-   file name: Finos.Fdc3.NewtonsoftJson.Tests.csproj
+   False positive: CVE-2022-4742 is a prototype pollution vulnerability in the npm
+   json-pointer package (manuelstofer/json-pointer). JsonPointer.Net is an unrelated
+   .NET library (gregsdennis/json-everything) incorrectly matched by CPE analysis.
    ]]></notes>
-   <cpe>cpe:/a:morgan_project:morgan</cpe>
+   <filePath regex="true">.*\bJsonPointer\.Net\.dll</filePath>
+   <cve>CVE-2022-4742</cve>
 </suppress>
 </suppressions>
