Add suppression for CVE-2026-42582 in global suppressions (#95)

aaron-steinfeld · web-flow · commit ebc0d0b7b1b9 · 2026-05-19T10:49:02.000-04:00
Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;

AI-Session-Id: 12fb583a-084c-4e08-9ec8-2ea46a2e79eb
AI-Tool: claude-code
AI-Model: unknown
diff --git a/dependency-check/global-suppressions.xml b/dependency-check/global-suppressions.xml
@@ -186,4 +186,13 @@
     <packageUrl regex="true">^pkg:maven/io\.prometheus/simpleclient.*@.*$</packageUrl>
     <cve>CVE-2026-42154</cve>
   </suppress>
+  <suppress>
+    <notes><![CDATA[
+   CVE-2026-42582 affects netty-codec-http3 which only exists in the Netty 4.2.x line.
+   The 4.1.x line does not include HTTP/3 support. False positive due to shared CPE.
+   Advisory: https://github.com/netty/netty/security/advisories/GHSA-2c5c-chwr-9hqw
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/io\.netty/(?!netty\-codec\-http3).*@.*$</packageUrl>
+    <cve>CVE-2026-42582</cve>
+  </suppress>
 </suppressions>
