Suppress CVE-2020-9488 and reference Security Advisory ESAPI#4

kwwall · kwwall · commit b8adf7fd37b2 · 2021-03-21T13:11:43.000-04:00
diff --git a/suppressions.xml b/suppressions.xml
@@ -12,11 +12,29 @@
             For further details, please see:
                 https://nvd.nist.gov/vuln/detail/CVE-2019-17571,
                 ESAPI GitHub Issue #538 (https://github.com/ESAPI/esapi-java-legacy/issues/538),
-                and the ESAPI security bulletin, "documentation/ESAPI-security-bulletin2.pdf", which
+                and the ESAPI security advisory #2, "documentation/ESAPI-security-bulletin2.pdf", which
                 provides a detailed analysis of this issue in ESAPI.
         ]]></notes>
         <gav regex="true">^log4j:log4j:1\.2\.17$</gav>
         <cpe>cpe:/a:apache:log4j</cpe>
         <cve>CVE-2019-17571</cve>
     </suppress>
+    <suppress>
+        <notes><![CDATA[
+            This suppresses CVE-2020-9488 for the log4j-1.2.17.jar dependency. ESAPI does
+            not use it in a manner that makes it exploitable and ESAPI is unable to
+            eliminate the dependency completely because our our deprecation policy. That specific
+            CVE is the Java deserialization CVE reported in Log4J 1's SocketServer class which ESAPI
+            doesn't use.
+
+            For further details, please see:
+                https://nvd.nist.gov/vuln/detail/CVE-2020-9488,
+                ESAPI GitHub Issue #534 (https://github.com/ESAPI/esapi-java-legacy/issues/534),
+                and the ESAPI security advisory #4, "documentation/ESAPI-security-bulletin4.pdf", which
+                provides a detailed analysis of this issue in ESAPI.
+        ]]></notes>
+        <gav regex="true">^log4j:log4j:1\.2\.17$</gav>
+        <cpe>cpe:/a:apache:log4j</cpe>
+        <cve>CVE-2020-9488</cve>
+    </suppress>
 </suppressions>
