chore: re-order suppressions CVE-chronologically

chadlwilson · chadlwilson · commit 97f5e3f1cd9b · 2026-05-08T16:28:49.000+08:00
diff --git a/build-platform/dependency-check-suppress.xml b/build-platform/dependency-check-suppress.xml
@@ -80,35 +80,35 @@
   </suppress>
   <suppress>
     <notes><![CDATA[
-    According to https://spring.io/security/cve-2026-22740 this only affects webflux applications, which GoCD is not.
+    GoCD does not use server sent events as required to be affected by https://spring.io/security/cve-2026-22735
     ]]></notes>
     <packageUrl regex="true">^pkg:maven/org\.springframework/spring-.*@4\.3.*$</packageUrl>
-    <cve>CVE-2026-22740</cve>
+    <cve>CVE-2026-22735</cve>
   </suppress>
   <suppress>
     <notes><![CDATA[
-    According to https://spring.io/security/cve-2026-22741 and https://spring.io/security/cve-2026-22745 these issues
-    only affects serving of static resources via spring-web/webflux. GoCD does not server static assets from the
-    filesystem via Spring Web resource handler mechanisms (it uses Jetty for static assets alongside custom handlers for
-    artifact downloading.
+    GoCD does not use scripting enabled template views as required to be affected by https://spring.io/security/cve-2026-22737
     ]]></notes>
     <packageUrl regex="true">^pkg:maven/org\.springframework/spring-.*@4\.3.*$</packageUrl>
-    <cve>CVE-2026-22741</cve>
-    <cve>CVE-2026-22745</cve>
+    <cve>CVE-2026-22737</cve>
   </suppress>
   <suppress>
     <notes><![CDATA[
-    GoCD does not use server sent events as required to be affected by https://spring.io/security/cve-2026-22735
+    According to https://spring.io/security/cve-2026-22740 this only affects webflux applications, which GoCD is not.
     ]]></notes>
     <packageUrl regex="true">^pkg:maven/org\.springframework/spring-.*@4\.3.*$</packageUrl>
-    <cve>CVE-2026-22735</cve>
+    <cve>CVE-2026-22740</cve>
   </suppress>
   <suppress>
     <notes><![CDATA[
-    GoCD does not use scripting enabled template views as required to be affected by https://spring.io/security/cve-2026-22737
+    According to https://spring.io/security/cve-2026-22741 and https://spring.io/security/cve-2026-22745 these issues
+    only affects serving of static resources via spring-web/webflux. GoCD does not server static assets from the
+    filesystem via Spring Web resource handler mechanisms (it uses Jetty for static assets alongside custom handlers for
+    artifact downloading.
     ]]></notes>
     <packageUrl regex="true">^pkg:maven/org\.springframework/spring-.*@4\.3.*$</packageUrl>
-    <cve>CVE-2026-22737</cve>
+    <cve>CVE-2026-22741</cve>
+    <cve>CVE-2026-22745</cve>
   </suppress>
   
   <suppress>
