chore(fp): clean up GRPC suppressions moved to hosted/generated suppressions

chadlwilson · chadlwilson · commit 1d6aca1cc103 · 2026-05-14T17:01:32.000+08:00
Signed-off-by: Chad Wilson &lt;29788154+chadlwilson@users.noreply.github.com&gt;
diff --git a/core/src/main/resources/dependencycheck-base-suppression.xml b/core/src/main/resources/dependencycheck-base-suppression.xml
@@ -95,13 +95,6 @@
         <packageUrl regex="true">^pkg:maven/org\.zalando/spring\-boot\-etcd@.*$</packageUrl>
         <cpe>cpe:/a:etcd:etcd</cpe>
     </suppress>
-    <suppress base="true">
-        <notes><![CDATA[
-	    FP per #3678
-	    ]]></notes>
-        <packageUrl regex="true">^pkg:maven/com\.salesforce\.servicelibs/reactive\-grpc.*$</packageUrl>
-        <cpe>cpe:/a:grpc:grpc</cpe>
-    </suppress>
     <suppress base="true">
         <notes><![CDATA[
 	    FP per #3685
@@ -236,14 +229,6 @@
         <packageUrl regex="true">^pkg:maven/io\.helidon\.microprofile\.server/helidon\-microprofile\-server@.*$</packageUrl>
         <cpe>cpe:/a:oracle:http_server</cpe>
     </suppress>
-    <suppress base="true">
-        <notes><![CDATA[
-        FP per #3015 & #3016
-        ]]></notes>
-        <packageUrl regex="true">^pkg:maven/co\.elastic\.apm/apm\-.*$</packageUrl>
-        <cpe>cpe:/a:grpc:grpc</cpe>
-        <cpe>cpe:/a:apache:httpclient</cpe>
-    </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per #3005
@@ -272,47 +257,6 @@
         <packageUrl regex="true">^pkg:maven/.*vertx-pg-client@.*$</packageUrl>
         <cpe>cpe:/a:postgresql:postgresql</cpe>
     </suppress>
-    <suppress base="true">
-        <notes><![CDATA[
-        FP per #3002 CPE is for GRPC core
-        ]]></notes>
-        <packageUrl regex="true">^pkg:maven/io\.opencensus/opencensus\-contrib\-grpc\-metrics@.*$</packageUrl>
-        <cpe>cpe:/a:grpc:grpc</cpe>
-    </suppress>
-    <suppress base="true">
-        <notes><![CDATA[
-        FP per #3002 and #5890 - CVE are for GRPC C/ruby/python etc. Suppressing individual CVEs because ODC cannot understand the target SW
-        field. NVD search to review in future (not that some are marked incorrectly as affecting all languages)
-        --> https://nvd.nist.gov/vuln/search#/nvd/home?sortOrder=1&sortDirection=1&cpeFilterMode=applicability&cpeName=cpe:2.3:a:grpc:grpc:*:*:*:*:*:*:*:*&resultType=records
-        ]]></notes>
-        <packageUrl regex="true">^pkg:maven/io\.grpc/grpc\-.*$</packageUrl>
-        <cve>CVE-2017-7860</cve>
-        <cve>CVE-2017-7861</cve>
-        <cve>CVE-2017-8359</cve>
-        <cve>CVE-2017-9431</cve>
-        <cve>CVE-2020-7768</cve>
-        <cve>CVE-2023-1428</cve>
-        <cve>CVE-2023-32731</cve>
-        <cve>CVE-2023-32732</cve>
-        <cve>CVE-2023-33953</cve>
-        <cve>CVE-2023-4785</cve>
-        <cve>CVE-2024-11407</cve>
-        <cve>CVE-2024-7246</cve>
-    </suppress>
-    <suppress base="true">
-        <notes><![CDATA[
-        FP per #3002, CPE is for GRPC core
-        ]]></notes>
-        <packageUrl regex="true">^pkg:maven/com\.google\.api\.grpc/grpc\-google\-common\-protos@.*$</packageUrl>
-        <cpe>cpe:/a:grpc:grpc</cpe>
-    </suppress>
-    <suppress base="true">
-        <notes><![CDATA[
-        FP per #3002, CPE is for GRPC core
-        ]]></notes>
-        <packageUrl regex="true">^pkg:maven/com\.lightstep\.tracer/.*$</packageUrl>
-        <cpe>cpe:/a:grpc:grpc</cpe>
-    </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per #3001
@@ -2908,20 +2852,6 @@
         <gav regex="true">^com\.typesafe\.akka:akka-persistence-cassandra:.*$</gav>
         <cpe>cpe:/a:akka:akka</cpe>
     </suppress>
-    <suppress base="true">
-        <notes><![CDATA[
-        Fp per #2995
-        ]]></notes>
-        <packageUrl regex="true">^pkg:maven/io\.opencensus/opencensus\-contrib\-grpc\-util@.*$</packageUrl>
-        <cpe>cpe:/a:grpc:grpc</cpe>
-    </suppress>
-    <suppress base="true">
-        <notes><![CDATA[
-        False positive per issue #1259 and #2991
-        ]]></notes>
-        <gav regex="true">^com\.google\.api\.grpc:proto-.*$</gav>
-        <cpe>cpe:/a:grpc:grpc</cpe>
-    </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #942
@@ -5012,14 +4942,6 @@
         <packageUrl regex="true">^pkg:maven/com\.google\.flatbuffers/flatbuffers-java@.*$</packageUrl>
         <cpe regex="true">cpe:/a:flat(_project)?:flat.*</cpe>
     </suppress>
-    <suppress base="true">
-        <notes><![CDATA[
-        FP per issues #5321, #5322, #5323, #5324
-        ]]></notes>
-        <packageUrl regex="true">^pkg:maven/me\.dinowernli/java\-grpc\-prometheus@.*$</packageUrl>
-        <cpe>cpe:/a:grpc:grpc</cpe>
-        <cpe>cpe:/a:prometheus:prometheus</cpe>
-    </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #5370
