Skip to content

Commit ec3ccb4

Browse files
committed
chore: suppress false positives for CVE-2026-22740 and CVE-2026-22741 after review
1 parent 795f1bb commit ec3ccb4

1 file changed

Lines changed: 12 additions & 3 deletions

File tree

build-platform/dependency-check-suppress.xml

Lines changed: 12 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -80,11 +80,20 @@
8080
</suppress>
8181
<suppress>
8282
<notes><![CDATA[
83-
According to https://spring.io/security/cve-2026-22745 this issue only affects serving of static resources via spring-web/webflux
84-
on Windows platforms. GoCD does not server static assets from the filesystem via Spring Web resource handler mechanisms (it uses
85-
Jetty for static assets alongside custom handlers for artifact downloading.
83+
According to https://spring.io/security/cve-2026-22740 this only affects webflux applications, which GoCD is not.
8684
]]></notes>
8785
<packageUrl regex="true">^pkg:maven/org\.springframework/spring-.*@4\.3.*$</packageUrl>
86+
<cve>CVE-2026-22740</cve>
87+
</suppress>
88+
<suppress>
89+
<notes><![CDATA[
90+
According to https://spring.io/security/cve-2026-22741 and https://spring.io/security/cve-2026-22745 these issues
91+
only affects serving of static resources via spring-web/webflux. GoCD does not server static assets from the
92+
filesystem via Spring Web resource handler mechanisms (it uses Jetty for static assets alongside custom handlers for
93+
artifact downloading.
94+
]]></notes>
95+
<packageUrl regex="true">^pkg:maven/org\.springframework/spring-.*@4\.3.*$</packageUrl>
96+
<cve>CVE-2026-22741</cve>
8897
<cve>CVE-2026-22745</cve>
8998
</suppress>
9099
<suppress>

0 commit comments

Comments
 (0)