From b4a97803ff775edda85071729eb856785126f810 Mon Sep 17 00:00:00 2001
From: Snyk bot <snyk-bot@snyk.io>
Date: Thu, 24 Jun 2021 10:58:47 +0300
Subject: [PATCH] [Snyk] Security upgrade org.cryptomator:webdav-nio-adapter
 from 1.2.2 to 1.2.3 (#1698)

* fix: pom.xml to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JAVA-ORGECLIPSEJETTY-1313686

* adjusted suppression config

* bump webdav version

Co-authored-by: Sebastian Stenzel <sebastian.stenzel@gmail.com>
---
 pom.xml         |  2 +-
 suppression.xml | 41 ++++++++---------------------------------
 2 files changed, 9 insertions(+), 34 deletions(-)

diff --git a/pom.xml b/pom.xml
index 61bae548b..b0dde763a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -31,7 +31,7 @@
 		<cryptomator.integrations.linux.version>1.0.0-beta1</cryptomator.integrations.linux.version>
 		<cryptomator.fuse.version>1.3.1</cryptomator.fuse.version>
 		<cryptomator.dokany.version>1.3.1</cryptomator.dokany.version>
-		<cryptomator.webdav.version>1.2.2</cryptomator.webdav.version>
+		<cryptomator.webdav.version>1.2.4</cryptomator.webdav.version>
 
 		<!-- 3rd party dependencies -->
 		<javafx.version>16</javafx.version>
diff --git a/suppression.xml b/suppression.xml
index a5fa9d766..c747f92a7 100644
--- a/suppression.xml
+++ b/suppression.xml
@@ -14,40 +14,15 @@
 
 	<!-- Jetty false positives below -->
 	<suppress>
-		<notes><![CDATA[ Affects jetty < 6.1.22 ]]></notes>
-		<gav>org.eclipse.jetty.toolchain:jetty-servlet-api:4.0.6</gav>
-		<cve>CVE-2009-5045</cve>
-	</suppress>
-	<suppress>
-		<notes><![CDATA[ Affects jetty < 6.1.22 ]]></notes>
-		<gav>org.eclipse.jetty.toolchain:jetty-servlet-api:4.0.6</gav>
-		<cve>CVE-2009-5046</cve>
-	</suppress>
+		<notes><![CDATA[
+		Suppress all for this javax.servlet api package:
+		There are lots of false positives, simply because its version number is way beyond the remaining
+		org.eclipse.jetty jar files. Note, that our actual Jetty version is different.
 
-	<suppress>
-		<notes><![CDATA[ Affects jetty-server 9.x ]]></notes>
+		As long as we don't suppress anything in org.eclipse.jetty:jetty-server or :jetty-servlet,
+		vulnerabilities will still trigger if we actually use an outdated Jetty version.
+		]]></notes>
 		<gav>org.eclipse.jetty.toolchain:jetty-servlet-api:4.0.6</gav>
-		<cve>CVE-2017-9735</cve>
-	</suppress>
-	<suppress>
-		<notes><![CDATA[ Affects jetty-server 9.x ]]></notes>
-		<gav>org.eclipse.jetty.toolchain:jetty-servlet-api:4.0.6</gav>
-		<cve>CVE-2017-7656</cve>
-	</suppress>
-	<suppress>
-		<notes><![CDATA[ Affects jetty-server 9.x ]]></notes>
-		<gav>org.eclipse.jetty.toolchain:jetty-servlet-api:4.0.6</gav>
-		<cve>CVE-2017-7657</cve>
-	</suppress>
-	<suppress>
-		<notes><![CDATA[ Affects jetty-server 9.x ]]></notes>
-		<gav>org.eclipse.jetty.toolchain:jetty-servlet-api:4.0.6</gav>
-		<cve>CVE-2017-7658</cve>
-	</suppress>
-
-	<suppress>
-		<notes><![CDATA[ Fixed since jetty-server 10.0.0.beta2 ]]></notes>
-		<gav>org.eclipse.jetty.toolchain:jetty-servlet-api:4.0.6</gav>
-		<cve>CVE-2020-27216</cve>
+		<cpe regex="true">.*</cpe>
 	</suppress>
 </suppressions>
\ No newline at end of file